This is a brilliant tutorial - many thanks. The gateway trick is very useful. However would you be kind enough to show us how you setup the virtual machines in Virtualbox? That way we can setup our own firewall test-beds to check the firewall rules / DNS / web access etc is working - for example we could emulate a guest user but make sure the guest can't access the firewall admin page etc. I hope that's ok, many thanks in advance.
great video, I really get it and understand due to your excellent explanation. Can you do for openvpn that can access LAN resources and webserver? thank you in advance.
Only found this now (great), how about adding VLANs to the mix where you only have one LAN and one WAN port on the router. And then have 3 VLANs; LAN, GUEST and IoT. Thanks.
In the end (VLAN or not) everything comes down to being a network on pfSense, so as long as you set up these firewall rules on every network you've got, you should be good to go :)
How could I diagnose a problem with a TV decoder connected directly via RJ45 to my pfSense ? Channels, if they load at all, load very slowly. For example, if I switch to channel 5 (e. g. BBC) on remote control, I see a black screen for 30 seconds and then the content appears, sometimes the content will not appear and I see a black screen with text information about what content is currently transmition on this channel. My configuration is an ISP router switched to bridge mode, pfSense is connected to it. I have basic firewall rules with DHCP (as DNS here I put IP of my pfSense and DNS of my ISP and Google DNS) The situation is strange, if I plug-in another router instead of pfSense, the contents on all channels loading quickly. I tried to reinstall pfSense but it didn't help. What can this delay or not load the content be due to, could you suggest how to diagnose it ?
Is it only a TV box that's having issues? Have you narrowed down problem to the pfSense itself? Half working cable or weird switch config could cause that too. If you already narrowed it down, try removing buffer bloat on the line. Here is a video that will show you how to do it: th-cam.com/video/iXqExAALzR8/w-d-xo.html Another issue might be that your TV box requires UPnP network support. Here is a doc from pfSense on how to configure it: docs.netgate.com/pfsense/en/latest/services/upnp.html
@@GatewayITTutorials Thank you for replay. Before I writed here I also tested many options including checked 3 different cables. I don’t using switch or hub, bufferbloat - tested with only TV box and my PC pluged on LAN (96.1/46.8 Mbps, bufferbloat - B, Quality - A), turning on UPnP nothing change. All above tests I replayed today and problem still egzist. But, today I found old router Netgear WNR612v2 which I pluged in to my pfSense and TV box connect to this router and voila TV works well 😊 This solution is temporary, for many reasons I don’t want to use Netgear router, so I would like to solve this issue without Netgear. ISP router (bridge mode) < pfSense < Netgear < TV box - this work well ISP router (bridge mode) < pfSense < TV box - this don’t work well
@@arturkruszyna4741 did you try static IP configuration? It must have something to do NTP/DNS/DHCP or firewall rules. What happens if you use static config on the TV box? If static is assigned right now, try DHCP. Troubleshooting this kind of equipment is hard due to a lack of tools on the TV Box itself. Also, try and create a firewall rule from that specific IP, and then check the states it creates. The rule would be: Allow, all, source IP-OF-THE-TV-BOX, destination any. This will narrow the field of search down. Check if all states are established and not closed. Then create the same rule for a Netgear and check what happens then.
I'm in the process of setting up pf Sense on my network, I like this idea of the separation of Io T from the rest of the network. I currently have approx 35 odd devices including smart bulbs, cameras and so forth. I would also like to restrict the wireless access from the rest of the network except for specific computers. Do you have any suggestions on the best approach to this? I'm thinking, if someone was to gain access via wireless, they could potentially have access to the whole network. Your thoughts would be greatly appreciated. Again, thanks for the videos that you have done, very easy to follow.
Always separate the WiFi from main network. Best approach: only Internet access on wireless, if staff needs access to servers - VPN in. Somewhat optimal approach: Create 2 WiFi networks - one for guests and one for internal.
Thanks for the quick reply. This is for my home network, my goal is to prevent the ioT devices from having access to the home network. FYI, have ensured all the ioT devices have undated firmware, pw's have all been changed from anything default. I would just like to keep them all separate just if any of them go postal...lol. I've implemented DNS redirect as you have done on your video. One question, I've used Quad9 as my primary and secondary DNS, I was considering Cloudflare but stopped short after watching "Lawrence Systems video in regards to DNS filtering. Here's the link if interested. Again, thanks for your reply. Cheers th-cam.com/video/imlFubYv8YY/w-d-xo.html
CloudFlare have started this trend only recently and will evolve much faster than Q9, at least I've got a feeling they will. Just a side note, so you don't have to Google them :) Malware blocking servers: 1.1.1.2 1.0.0.2 Malware and pron-like content blocking servers: 1.1.1.3 1.0.0.3
I need help providing internet connection to my Virtual Box for my pfsense for Ubuntu. I need the internet connection to download packages from pfsense. PLEASE HELP!!!!!!!
3:29 That way you are still allowing any traffic trough chosen gateway, which includes private networks in WAN net. If your WAN is not an Internet directly but something like LAN of ISP router (not all ISPs allow bridge mode on their devices), then you would allow Guest net to access management interface of ISP device.. Instead make an RFC1918 networks alias and use "allow Guest net to NOT RFC1918" rule.
Thanks for your comment, but I would argue that it's an edge use case. We usually have up to 30 networks on our systems, to divide multicast, create a VLAN for a client, etc. Managing everything through aliases this way, gets very messy overtime, imagine 30-40 subnets to manage through aliases, plus people very often forget to update them when new network is created. In your use case I would rather create a rule at the top (or before the gateway rule) that would deny any traffic on WAN that belongs to a private range of IPs (ie 10.0.0.0/8, or smth). But if your approach works for you -- great! It's just not something we look forward to be using.
@@GatewayITTutorials you did not get it. Rule that I'm talking about works in any setup and you can have as many networks as you like, but only need one universal alias ( with 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ). That rule means exactly what it says "only allow Internet". For it to work you just add another rule on top to allow traffic to net address of each interface, in other words "allow gateway" rule. The problem with your setup is that it is overly permissive and is a bad practice no matter the use case.
That’s great but still can’t figure out how to manage Wi-Fi/dhcp devices. By group or profiles, even MAC address. IE, all the kids iPad, school computers, block all social media sites connecting to Wi-Fi bridge mode.
This video is much appreciated. It was nice to see a simple approach to pfSense firewall rules with explanations of what we were setting up. Thank you for a great video!
Hi there, how we can create a firewall rule on pfsense for block all incoming traffic from outside or internet to our network for more security ,but from inside network everyone can accessto internet. If it possible please make a tutorialabout it . thnx
How does DHCP work if hosts are blocked from communicating with the firewall? Does it work because technically the host is communicating with the broadcast address? How does the DNS resolver service work when access to ‘this firewall’ is rejected? Must DNS be configured on the host machine and go directly to the internet? (Ie... 8.8.8.8 or whatever) I wonder if you have to open up udp/tcp 53 from guest to the firewall in order to take it vantage of the builtin dns forward/resolver. I do allow ICMP from hosts to their own gateways so at least if theres a connection issue, you can test whether it’s the host or the network.
Good question. pfSense hides some default ports, like NTP and the DHCP, which is allowed by default, even if you block access to the firewall. This is because the default hidden rules are at the top of the firewall list. DNS is different, it is not at the top of the list, so when access to "this firewall" is blocked, DNS gets blocked. I hope it makes sense.
Man you saved me so much more frustration, I was trying to separate my IoT devices and when I block access from IoT to Lan I had no internet...no matter what I did and firewall rules I set, change etc. it wouldn't work. I watched your video and it was fixed. Didn't allow DNS to the Lan network, did it and bam all is working. I was about to reinstall my Opnsense firewall. Thanks to your video it's all fixed. Thanks a lot. :)
I did not, but here is what you have to do: Create new LAGG interface (use the inactive members), make sure it works. Then download a backup config file and make few copies of it (this is important). Edit one of the copies with notepad++ on Windows or gedit/nano/vi on Linux/BSD. Scroll through the file replacing static interface with LAGG, and add it to the LAGG group. If anything goes wrong, just upload and restore one of the good copies to the firewall to make it work again. Repeat the process until you get it right)
@@GatewayITTutorials Thanks for the reply, I actually made the LAGG Lan a long time ago and just sitting there, I just don't know whats the easiest next step. I thoughts before was just to make a LAGG Vlan and just change Lan to the Vlan of LAGG, is that even possible?
Great video thank you so much. What about Management VLANS for network devices? How do you prevent them from reaching the internet? I blocked the WAN IP and I'm still able to ping the outside DNS from the remote VLAN.
@@GatewayITTutorials silly question. If I block everything. How will I be able to connect with it if I'm on another VLAN?I'll have to have one machine that's on that VLAN that's used only for management.
@@BrianThomas You'll find answers to all questions here) At least I'll try to answer. As stated in the video, all rules for internal interfaces are egress, which means you are blocking only outgoing traffic. Example: VLAN1, rule block any - source VLAN1_NET, destination - any. VLAN2, rule allow any - source VLAN2_NET, destination any, Devices on VLAN1 are only capable to talk to the devices on the same network. Devices from VLAN2 can connect to anything including VLAN1. Hope that makes sense. I am deploying CCTV installs in this fashion, that way they cannot call back to their Chinese vendors, but I can still connect and manage them from another trusted VLAN.
An explanation as to why the first rule where you add the gateway works would be nice. Also would it not be possible to just prevent management access to the firewall (ssh/443 etc) but removing the guest interface from the available interfaces for management?
That's a very specific usecase I am afraid, which would not be applicable to a lot of people, so I didn't make any content around it. If you'd like some help with that setup -- reach out in our Reddit community, or send me an email :)
@@GatewayITTutorials It would be wonderful if you can lay your knowledge with me on this problem. Can you pls have your email and I will surely give you a buzz. Thank you so much.
@@glenntrinidad9817 It's at the beginning and in the end of each video :) I don't want to send it here, because bots will scan it and I'll start receiving even more spam)
pfSense is a zone based firewall, it cannot block the traffic on the same network, it wouldn't make any sense. You have 2 options here: move .20 to a separate network, or use internal firewall solutions on either .10 or .20
@@JhosmanLizarazo you gotta be more specific on this. Is it still .10.x to .10.x, everything on port 20? If so, do you use debian based servers on that subnet?
As pointed out in the video, add everything you need to allow at the top, then deny all the rest at the bottom. As for the 80, 443 and 53, these are the default allow rules, so you can get to the firewall management web page (80, 443) and the 53 is there for you to able to use DNS inside of your network, instead of external DNS service.
Hello. What exactly are you trying to ping? For example Windows firewall will block any request (including ping) from a different subnet. Add a rule inside Windows firewall, or temporarily disable it to perform a test.
@@GatewayITTutorials It will block, say from Guest Net to the firewall but via external DDNS name - I tested this case One more question - I used exactly your example to block my Guest Net to access LAN. But I need to allow a subset of devices, say TVs, to be able to access LAN resources (plex server etc). What would be best way to achieve this?
@@yuriw777 glad you've had that tested. Create an alias with the list of IPs for your trusted devices inside of a guest network. Then create a new rule at the very top of your guest subnet: Allow all traffic, source TrustedDevicesAlias, destination Internal network. No need to specify gateway. That should do it.
![[UNCUT] “บอสณวัฒน์” ลากไส้!! ใครหนุนหลัง "แม่ตั๊ก ป๋าเบียร์" I คนดังนั่งเคลียร์ I 30 ก.ย. 67](http://i.ytimg.com/vi/QlD7mU2KKRk/mqdefault.jpg)
This type of rule is clear now thanks to your approach, well done. Thank you, subscribed!!!
Oh thats fab! ..my preconfigured captive portal worked too ;)
Dude this was brilliant. Perfect pace and explanation. You got a subscriber here!
This is a brilliant tutorial - many thanks. The gateway trick is very useful. However would you be kind enough to show us how you setup the virtual machines in Virtualbox? That way we can setup our own firewall test-beds to check the firewall rules / DNS / web access etc is working - for example we could emulate a guest user but make sure the guest can't access the firewall admin page etc. I hope that's ok, many thanks in advance.
great video, I really get it and understand due to your excellent explanation. Can you do for openvpn that can access LAN resources and webserver? thank you in advance.
Thanks! Awesome job.
Only found this now (great), how about adding VLANs to the mix where you only have one LAN and one WAN port on the router. And then have 3 VLANs; LAN, GUEST and IoT. Thanks.
In the end (VLAN or not) everything comes down to being a network on pfSense, so as long as you set up these firewall rules on every network you've got, you should be good to go :)
thank you very much man
How could I diagnose a problem with a TV decoder connected directly via RJ45 to my pfSense ?
Channels, if they load at all, load very slowly. For example, if I switch to channel 5 (e. g. BBC) on remote control, I see a black screen for 30 seconds and then the content appears, sometimes the content will not appear and I see a black screen with text information about what content is currently transmition on this channel. My configuration is an ISP router switched to bridge mode, pfSense is connected to it. I have basic firewall rules with DHCP (as DNS here I put IP of my pfSense and DNS of my ISP and Google DNS)
The situation is strange, if I plug-in another router instead of pfSense, the contents on all channels loading quickly.
I tried to reinstall pfSense but it didn't help. What can this delay or not load the content be due to, could you suggest how to diagnose it ?
Is it only a TV box that's having issues? Have you narrowed down problem to the pfSense itself? Half working cable or weird switch config could cause that too.
If you already narrowed it down, try removing buffer bloat on the line. Here is a video that will show you how to do it:
th-cam.com/video/iXqExAALzR8/w-d-xo.html
Another issue might be that your TV box requires UPnP network support. Here is a doc from pfSense on how to configure it:
docs.netgate.com/pfsense/en/latest/services/upnp.html
@@GatewayITTutorials Thank you for replay. Before I writed here I also tested many options including checked 3 different cables. I don’t using switch or hub, bufferbloat - tested with only TV box and my PC pluged on LAN (96.1/46.8 Mbps, bufferbloat - B, Quality - A), turning on UPnP nothing change. All above tests I replayed today and problem still egzist.
But, today I found old router Netgear WNR612v2 which I pluged in to my pfSense and TV box connect to this router and voila TV works well 😊 This solution is temporary, for many reasons I don’t want to use Netgear router, so I would like to solve this issue without Netgear.
ISP router (bridge mode) < pfSense < Netgear < TV box - this work well
ISP router (bridge mode) < pfSense < TV box - this don’t work well
@@arturkruszyna4741 did you try static IP configuration? It must have something to do NTP/DNS/DHCP or firewall rules. What happens if you use static config on the TV box?
If static is assigned right now, try DHCP. Troubleshooting this kind of equipment is hard due to a lack of tools on the TV Box itself.
Also, try and create a firewall rule from that specific IP, and then check the states it creates. The rule would be:
Allow, all, source IP-OF-THE-TV-BOX, destination any. This will narrow the field of search down. Check if all states are established and not closed.
Then create the same rule for a Netgear and check what happens then.
I'm in the process of setting up pf Sense on my network, I like this idea of the separation of Io T from the rest of the network. I currently have approx 35 odd devices including smart bulbs, cameras and so forth. I would also like to restrict the wireless access from the rest of the network except for specific computers. Do you have any suggestions on the best approach to this? I'm thinking, if someone was to gain access via wireless, they could potentially have access to the whole network. Your thoughts would be greatly appreciated. Again, thanks for the videos that you have done, very easy to follow.
Always separate the WiFi from main network.
Best approach: only Internet access on wireless, if staff needs access to servers - VPN in.
Somewhat optimal approach:
Create 2 WiFi networks - one for guests and one for internal.
Thanks for the quick reply. This is for my home network, my goal is to prevent the ioT devices from having access to the home network. FYI, have ensured all the ioT devices have undated firmware, pw's have all been changed from anything default. I would just like to keep them all separate just if any of them go postal...lol. I've implemented DNS redirect as you have done on your video. One question, I've used Quad9 as my primary and secondary DNS, I was considering Cloudflare but stopped short after watching "Lawrence Systems video in regards to DNS filtering. Here's the link if interested. Again, thanks for your reply. Cheers th-cam.com/video/imlFubYv8YY/w-d-xo.html
CloudFlare have started this trend only recently and will evolve much faster than Q9, at least I've got a feeling they will.
Just a side note, so you don't have to Google them :)
Malware blocking servers:
1.1.1.2
1.0.0.2
Malware and pron-like content blocking servers:
1.1.1.3
1.0.0.3
I need help providing internet connection to my Virtual Box for my pfsense for Ubuntu. I need the internet connection to download packages from pfsense. PLEASE HELP!!!!!!!
Thank you - measured clear and good information
3:29 That way you are still allowing any traffic trough chosen gateway, which includes private networks in WAN net. If your WAN is not an Internet directly but something like LAN of ISP router (not all ISPs allow bridge mode on their devices), then you would allow Guest net to access management interface of ISP device..
Instead make an RFC1918 networks alias and use "allow Guest net to NOT RFC1918" rule.
Thanks for your comment, but I would argue that it's an edge use case. We usually have up to 30 networks on our systems, to divide multicast, create a VLAN for a client, etc. Managing everything through aliases this way, gets very messy overtime, imagine 30-40 subnets to manage through aliases, plus people very often forget to update them when new network is created.
In your use case I would rather create a rule at the top (or before the gateway rule) that would deny any traffic on WAN that belongs to a private range of IPs (ie 10.0.0.0/8, or smth).
But if your approach works for you -- great! It's just not something we look forward to be using.
@@GatewayITTutorials you did not get it. Rule that I'm talking about works in any setup and you can have as many networks as you like, but only need one universal alias ( with 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ). That rule means exactly what it says "only allow Internet". For it to work you just add another rule on top to allow traffic to net address of each interface, in other words "allow gateway" rule.
The problem with your setup is that it is overly permissive and is a bad practice no matter the use case.
That’s great but still can’t figure out how to manage Wi-Fi/dhcp devices. By group or profiles, even MAC address. IE, all the kids iPad, school computers, block all social media sites connecting to Wi-Fi bridge mode.
Thank you man. you explained it very well. I suggest make a video about IPS/IDS using pfsense
Subscribed. Thank you.
Great! Very clear explanation. Could you please delve a bit deeper into this matter and make more tutorials, on port forwarding too? Thanks
Hi. Thanks for the suggestion. New video is coming on zabbix Web monitoring this week, and I'll probably make a NAT video next week.
Pls do more in particular when and how use floating rules
The video is great !
This video is much appreciated. It was nice to see a simple approach to pfSense firewall rules with explanations of what we were setting up. Thank you for a great video!
Exactly what I was looking for, I kept hitting roadblocks with unifi vlans, this is a much better approach!
Thanks for this clear and great demonstration. Have a great day
I love this video. I am learning here. Thanks so much. 😊
Mate is a very good video!!! Im going to search more videos, Im trying to learn a lot of pfsense. Grettings from Mexico
Hi there, how we can create a firewall rule on pfsense for block all incoming traffic from outside or internet to our network for more security ,but from inside network everyone can accessto internet. If it possible please make a tutorialabout it . thnx
It's blocked by default, you don't need to do anything extra
@@GatewayITTutorials how can i see the rule ??thnx
I would love to see how you handle notifications
Thanks very much for this video. First video shows some new techniques that others have not shown
great information. thanks!
How does DHCP work if hosts are blocked from communicating with the firewall? Does it work because technically the host is communicating with the broadcast address?
How does the DNS resolver service work when access to ‘this firewall’ is rejected? Must DNS be configured on the host machine and go directly to the internet? (Ie... 8.8.8.8 or whatever)
I wonder if you have to open up udp/tcp 53 from guest to the firewall in order to take it vantage of the builtin dns forward/resolver.
I do allow ICMP from hosts to their own gateways so at least if theres a connection issue, you can test whether it’s the host or the network.
Good question.
pfSense hides some default ports, like NTP and the DHCP, which is allowed by default, even if you block access to the firewall. This is because the default hidden rules are at the top of the firewall list.
DNS is different, it is not at the top of the list, so when access to "this firewall" is blocked, DNS gets blocked.
I hope it makes sense.
@@GatewayITTutorials yup! Good info, thanks!
Short and sweet. And really helpfull. Many thanks.
Ideas?: any advice on hoy to deal with IoT traffic will be much..very much appreciated
I would like to see something on managing firewall certificates with letsencrypt, hadoop, acme, and dynamic DNS. Thanks.
Could you explain OSPF configuration in pfSense, please? Also connection between Mikrotik router and pfSense, please
Man you saved me so much more frustration, I was trying to separate my IoT devices and when I block access from IoT to Lan I had no internet...no matter what I did and firewall rules I set, change etc. it wouldn't work. I watched your video and it was fixed. Didn't allow DNS to the Lan network, did it and bam all is working. I was about to reinstall my Opnsense firewall. Thanks to your video it's all fixed.
Thanks a lot. :)
Awesome! I am glad my video helped you.
Did you already made a video about Link Aggregation? Like converting LAN to LAGG with out using new interface?
I did not, but here is what you have to do:
Create new LAGG interface (use the inactive members), make sure it works.
Then download a backup config file and make few copies of it (this is important). Edit one of the copies with notepad++ on Windows or gedit/nano/vi on Linux/BSD.
Scroll through the file replacing static interface with LAGG, and add it to the LAGG group. If anything goes wrong, just upload and restore one of the good copies to the firewall to make it work again. Repeat the process until you get it right)
@@GatewayITTutorials Thanks for the reply, I actually made the LAGG Lan a long time ago and just sitting there, I just don't know whats the easiest next step. I thoughts before was just to make a LAGG Vlan and just change Lan to the Vlan of LAGG, is that even possible?
Great video thank you so much. What about Management VLANS for network devices? How do you prevent them from reaching the internet? I blocked the WAN IP and I'm still able to ping the outside DNS from the remote VLAN.
Thank you :)
Instead of blocking WAN IP, block everything.
Source LAN_NET (your network name), destination Any.
@@GatewayITTutorials silly question. If I block everything. How will I be able to connect with it if I'm on another VLAN?I'll have to have one machine that's on that VLAN that's used only for management.
@@BrianThomas You'll find answers to all questions here) At least I'll try to answer.
As stated in the video, all rules for internal interfaces are egress, which means you are blocking only outgoing traffic.
Example: VLAN1, rule block any - source VLAN1_NET, destination - any. VLAN2, rule allow any - source VLAN2_NET, destination any, Devices on VLAN1 are only capable to talk to the devices on the same network. Devices from VLAN2 can connect to anything including VLAN1.
Hope that makes sense. I am deploying CCTV installs in this fashion, that way they cannot call back to their Chinese vendors, but I can still connect and manage them from another trusted VLAN.
An explanation as to why the first rule where you add the gateway works would be nice.
Also would it not be possible to just prevent management access to the firewall (ssh/443 etc) but removing the guest interface from the available interfaces for management?
Couldn’t you just have two rules to cover everything?
1. allow guest -> wan
2. Deny guest -> everything
@@TheStereoField A single rule to deny traffic to all private networks would work to provide access only to the Internet.
I shared it with my wife, but she didn't care. Never mind. Great video!
Thank you! Been looking for a while to find out how to do this...
Brilliant Video, keep them coming :-)
very clear. love the way you explain.
Glad it was helpful ;)
Is it possible to make the 2 VPN clients connected on single VPN server and using 2 different ports (1194, 1195) be able to see each other on network?
Absolutely possible, but I would use DNS for this usecase, because VPN server might give you a different IP every time you connect
@@GatewayITTutorials Thanks for the insight... Do you have any tutorials on how to do these using DNS? Thanks for the help. Really appreciate it.
That's a very specific usecase I am afraid, which would not be applicable to a lot of people, so I didn't make any content around it. If you'd like some help with that setup -- reach out in our Reddit community, or send me an email :)
@@GatewayITTutorials It would be wonderful if you can lay your knowledge with me on this problem. Can you pls have your email and I will surely give you a buzz. Thank you so much.
@@glenntrinidad9817 It's at the beginning and in the end of each video :)
I don't want to send it here, because bots will scan it and I'll start receiving even more spam)
great video, thanks.
How to Block LAN IP Address to LAN IP Address, (in the same interface LAN) example: 192.168.0.10 to 192.168.0.20
pfSense is a zone based firewall, it cannot block the traffic on the same network, it wouldn't make any sense. You have 2 options here: move .20 to a separate network, or use internal firewall solutions on either .10 or .20
@@GatewayITTutorials I neee lock all traffic in the por 22 in LAN network.
@@JhosmanLizarazo you gotta be more specific on this. Is it still .10.x to .10.x, everything on port 20? If so, do you use debian based servers on that subnet?
@@GatewayITTutorials yes. In LAN net
10.0.0.x
Y need lock all traffic to specific ports
LAN to LAN
use ufw directly on the servers themselves to block the traffic on port 22
How about the LAN side. What should it look like for MAX usage and security?
But video is about the LAN rules. LAN -> WAN and LAN1 -> LAN2 in particular.
Did you mean WAN -> LAN port forwarding?
@@GatewayITTutorials I thought video was about the LAN Guest setup and locking it down. GREAT VIDEO, to the point and HELPFUL sir.
@@GatewayITTutorials No port forwarding. Just what should our LAN rules look like? Some people allow 80, 443, 53 and so on then BLOCK everything else.
As pointed out in the video, add everything you need to allow at the top, then deny all the rest at the bottom. As for the 80, 443 and 53, these are the default allow rules, so you can get to the firewall management web page (80, 443) and the 53 is there for you to able to use DNS inside of your network, instead of external DNS service.
hi sir after i was add the new rule in guest interface, i still not able to ping lan network,,
Hello. What exactly are you trying to ping? For example Windows firewall will block any request (including ping) from a different subnet. Add a rule inside Windows firewall, or temporarily disable it to perform a test.
Will the reject tule block the traffic to the firewall external IP assigned by DDNS ?
Where from?
External client -> your firewall?
@@GatewayITTutorials It will block, say from Guest Net to the firewall but via external DDNS name - I tested this case
One more question - I used exactly your example to block my Guest Net to access LAN. But I need to allow a subset of devices, say TVs, to be able to access LAN resources (plex server etc). What would be best way to achieve this?
@@yuriw777 glad you've had that tested.
Create an alias with the list of IPs for your trusted devices inside of a guest network.
Then create a new rule at the very top of your guest subnet:
Allow all traffic, source TrustedDevicesAlias, destination Internal network. No need to specify gateway.
That should do it.
@@GatewayITTutorials Thank you! That's what I have done, wanted to make sure it's good practice!
@@GatewayITTutorials And if for example you want to block an access from Guest Net to an external IP, what then a rule look like?