"If they find an issue with public key encryption, we're all in trouble and your firewall will be the least of your concerns." Something about that made me chuckle in fear lol.
That seems like a solid idea. I've used openvpn to have a remote router "phone home" and it's stable but certainly a more involved setup. How are you setting up the remote sites to deal with dynamic IPs and what do you do for your password management as all of the remote sites are at localhost:port? is there an autossh package on pfsense to get it to phone home to you with a reverse tunnel setup?
Just a note, do not use port 222 or 5555 as given in the example. Both ports are commonly scanned for as well as many many others. For the most 10 most common scanned ports watch AT&T ThreatTraq Internet Weather Report th-cam.com/play/PLq4ic8ODT5PfsdQ7XBnKqIa2FBLmwjanL.html . Also remember to use best security practices for SSH as it can allow access to any computer on any connected network not just the localhost.
How do you centrally manage and monitor your entire fleet of pfsense devices for outages and other issues? Also with public/private keys for SSH, how do you keep up with with all the keys on each firewall that's specific to each of your technicians? Is there a way you can orchestrate changes like for example if a technician had their computer stolen would you have to remote into each firewall individually and revoke the key or could you do it with a couple of clicks and push that change to every firewall at once?
If pfSense is in a virtual machine and the WAN IP of it is a private, example 192.168.1.23, you must disable "Block private networks and loopback addresses" under Interfaces/Wan in order to have the Firewall rules to work.
We made a central management system for pfsense, based on SSH port forwarding. To be able to view all kind of information in one dashboard. Uptime states CPU mem backups, live icmp etc
@@LAWRENCESYSTEMS I needed to expose mysql to my friend, but I didn't want to install ssh on the mysql server because I'm going to moving it to a container eventually, so I rather him authenticate thorough the pfsense box. I came up with this, ssh -L 3306:(ip-of-mysql-server):3306 -p (random-port-for-this) (non-admin-pfsense-username-with-publickey)@(my-public-ip-address), I'm sure this not the right way to do this, but it does work. I would like to know how to properly set this up so they can have to authenticate before they can get access to a port. I was going to setup a second openvpn on pfsense but I figured that was overkill since only need to expose one port. Thank You
if you configure a rule that allows access to https, it will allow anyway, despite ssh rule. I mean I can connect via browser before(without) connecting via ssh
!!! Ho Li $#! +. There goes any hesitation I had for going all in on pfSense. I obviously don't know what I don't know. Any suggestions for an overview of things past the basics that Linux can do?
This seems like a lot of work. Why not toss a ip on the loopback, create a ipsec tunnel to your network, this way you can manage the device at the far end from anywhere within your own management network. That way you can stay sanitized and not have ports opened etc. I understand the port is only opened from a particular source but this just seems like a lot of work.
Great video, I'm having a bit of a problem hitting the localhost:5555 cant connect at all, do I need to add other rule beside the ssh allow on the WAN ? The admin access and the wan rule have been configured correctly Thanks guys
FYI, from the start it's a good idea to temporarily disable SSHGuard/Login Protection before too many failed SSH logins happen. Don't ask me how I know. 🙂
hey tom nice and great video, hoping that you have also a video on how to set up on windows command. I'm following your videos. More power and I hope sooner or later you read my comment. Keep Safe
Okay, I have watched the video again and I have a question. Can I get a let's encrypt certificate for pfSense box? Will the same scripts work that I use on my debian based boxes? I do realize it is BSD based that's why I ask.
teacher I am from Peru. I am a student. I would like if you could teach us from the beginning snort openaddid + pfbloquers. Excuse greetings from Peru and thanks for your videos
So you do need the private key to login to the server correct? because if someone had your IP and your public key they shouldn't be able to do anything is that correct?
@@LAWRENCESYSTEMS Yes, peehaps even to the point why if your private key is stolen on a laptop, you should revoke the existing public key from your servers and create a new the private key. Paranoid? Perhaps but nice to know that the servers you are responsible for are not accessible by ill-gotten means.
"If they find an issue with public key encryption, we're all in trouble and your firewall will be the least of your concerns." Something about that made me chuckle in fear lol.
Thats pretty neat, actually had no idea that was possible, the way to get the webconfigurator thru ssh.
Perfect, this is exactly the answer I needed.
Thank you!
That seems like a solid idea. I've used openvpn to have a remote router "phone home" and it's stable but certainly a more involved setup.
How are you setting up the remote sites to deal with dynamic IPs and what do you do for your password management as all of the remote sites are at localhost:port?
is there an autossh package on pfsense to get it to phone home to you with a reverse tunnel setup?
Just a note, do not use port 222 or 5555 as given in the example. Both ports are commonly scanned for as well as many many others. For the most 10 most common scanned ports watch AT&T ThreatTraq Internet Weather Report th-cam.com/play/PLq4ic8ODT5PfsdQ7XBnKqIa2FBLmwjanL.html . Also remember to use best security practices for SSH as it can allow access to any computer on any connected network not just the localhost.
How do you centrally manage and monitor your entire fleet of pfsense devices for outages and other issues? Also with public/private keys for SSH, how do you keep up with with all the keys on each firewall that's specific to each of your technicians? Is there a way you can orchestrate changes like for example if a technician had their computer stolen would you have to remote into each firewall individually and revoke the key or could you do it with a couple of clicks and push that change to every firewall at once?
You’re a great teacher.
If pfSense is in a virtual machine and the WAN IP of it is a private, example 192.168.1.23, you must disable "Block private networks and loopback addresses" under Interfaces/Wan in order to have the Firewall rules to work.
We made a central management system for pfsense, based on SSH port forwarding. To be able to view all kind of information in one dashboard. Uptime states CPU mem backups, live icmp etc
We use zabbix for that
Is his main OS parrot ? Great Video helped a lot with my syslog machine!
Just saw this video.. what a great tutorial! Thank you so much. One question... how would you use this with putty?
I don't use putty anymore but it is supported this site has a write up www.akadia.com/services/ssh_putty.html
Awesome video. Thank you
My pleasure!
Great video. Did you end up ever making a video on ssh port forwarding with pfsense?
th-cam.com/video/3-DU47zDrQk/w-d-xo.html
@@LAWRENCESYSTEMS I needed to expose mysql to my friend, but I didn't want to install ssh on the mysql server because I'm going to moving it to a container eventually, so I rather him authenticate thorough the pfsense box. I came up with this, ssh -L 3306:(ip-of-mysql-server):3306 -p (random-port-for-this) (non-admin-pfsense-username-with-publickey)@(my-public-ip-address), I'm sure this not the right way to do this, but it does work. I would like to know how to properly set this up so they can have to authenticate before they can get access to a port. I was going to setup a second openvpn on pfsense but I figured that was overkill since only need to expose one port. Thank You
if you configure a rule that allows access to https, it will allow anyway, despite ssh rule. I mean I can connect via browser before(without) connecting via ssh
Excellent video. A query how can I limit the amount of digital certificate for client devices on an Openvpn server from PfSense
Thanks Tom! Great stuff. 👍
Can you share your bash prompt?
YES PLEASE, that was a wicked looking bash, never seen a bash so detailed. PLEASE TELL US
I asked the same question again, and he answered! (see above)
github.com/flipsidecreations/dotfiles
!!! Ho Li $#! +. There goes any hesitation I had for going all in on pfSense. I obviously don't know what I don't know. Any suggestions for an overview of things past the basics that Linux can do?
This seems like a lot of work. Why not toss a ip on the loopback, create a ipsec tunnel to your network, this way you can manage the device at the far end from anywhere within your own management network. That way you can stay sanitized and not have ports opened etc. I understand the port is only opened from a particular source but this just seems like a lot of work.
Rogan, Interested in your method as well. Any existing reference as to how to actualize it? Tnx!
Great video, I'm having a bit of a problem hitting the localhost:5555 cant connect at all, do I need to add other rule beside the ssh allow on the WAN ? The admin access and the wan rule have been configured correctly Thanks guys
great video as usual. thank you
FYI, from the start it's a good idea to temporarily disable SSHGuard/Login Protection before too many failed SSH logins happen. Don't ask me how I know. 🙂
Does anyone know what BASH that is ?
It is awesome looking, lots of detail.
github.com/flipsidecreations/dotfiles
hey tom nice and great video, hoping that you have also a video on how to set up on windows command. I'm following your videos. More power and I hope sooner or later you read my comment. Keep Safe
Okay, I have watched the video again and I have a question. Can I get a let's encrypt certificate for pfSense box? Will the same scripts work that I use on my debian based boxes? I do realize it is BSD based that's why I ask.
There is a pfsense plugin for the ACME cert system
hello sir, i cannot access my pfsense web gui.i installed them in virtualbox.do you know how to solve this?thank you.
It would be nice if pfSense would support SSH Certificates
teacher I am from Peru. I am a student. I would like if you could teach us from the beginning snort openaddid + pfbloquers. Excuse greetings from Peru and thanks for your videos
So you do need the private key to login to the server correct? because if someone had your IP and your public key they shouldn't be able to do anything is that correct?
Correct, keep your private key super locked down
@@LAWRENCESYSTEMS Yes, peehaps even to the point why if your private key is stolen on a laptop, you should revoke the existing public key from your servers and create a new the private key.
Paranoid? Perhaps but nice to know that the servers you are responsible for are not accessible by ill-gotten means.
Hi Tom, can you help me how to allow skype on pfsense? Thanks
It is allowed
Thanks for your reply, followed your tutorial on pfBlocker but Skype is blocked, just don't know where it is filtered from.
That varies with what list you are using.
found it, thank you.