Nice video. I have 2 questions: 1. Can you give examples of devices that would go on OPT1? You mention file storage, but I want my computers to be able to access NAS. 2. I use a mesh wifi, I don't want one AP per logical network. Can it be setup to assign a new device by default to OPT2 and then manually move it to LAN as required?
There are some alternatives; 1. You use dedicated computer(s) for OPT1, in the OPT1, apart from computers in the LAN. (Minimum convenience! Maximum security!, There is a tradeoff...) 2. You create some firewall rules which are port based or application based and only allow some specific computers in the LAN to access to the storage in the OPT1. This is less secure way than the 1st topic I wrote. You can not manage those rules in the consumer routers. You need a pfsense or opnsense etc. (More convenience but less security! But it's still secure... ) I didn’t do it like above. I created LAN, IoT network, Guest Network, Kid’s Network. So I merged the Storage and Daily Usage networks into the LAN. I hardened it, and only hardened Mac Computers, iOS and iPadOS devices can run in the LAN. Of course NAS and data storage systems as well... LAN network, can not access to the IoT network despite suggestion in the video and also IoT network can not access to the LAN network in my case. I mean, it's definitely no connection between LAN and IoT networks. I totally restricted the two way traffic. Ex: my iPhone in the LAN can not access to the Apple TV 4K Box (Hub for IoT devices) in the IoT network. It’s also same for the Apple TV 4K Box as well, so it can not access to my iPad, iPhones, computers. I manage all IoT devices and hub (Apple TV 4K Box) with my iPhone but it’s not being done through my local network. I manage them thru iCloud+ internet connection, so Apple TV connects to the iCloud+ thru dedicated IoT internet connection of the IoT network AND my iPhone in my highly secure LAN connects to the iCloud+ thru secure internet connection of the LAN with the same Apple ID. Then I can manage everything in the IoT network seamlessly. That’s more secure solution in my case.
That is exactly what AdGuardHome is ! I run it on my RaspberryPi as I found PiHole was that bad it used to fail regularly and eat SD Cards due to poor programming. The developers don't know how to incorporate DoH or DoT which means using the Cloudflared program. It is unfortunate PiVPN developers don't know how to make their program work with anything other than PiHole, they are not able to make it work with AdGuardHome which is unfortunate. It doesn't give me much confidence that any of them know what they are doing or if we can rely on it if they don't know how to make their software perform certain functions or even listen to their supporters.
My first lesson in firewalls was when I learned about port forwarding. That broke the door open and helped me understand the small bump in speed for some devices isn't worth the risk. I need to check out that pfsense.
0:55 Alot of home routers have "low firewall settings" enabled by default. So that means its not filtering packets. They would fall over doing so. Edgerouter Lite 3 has hardware acceleration on a chip for routing. The configs get uploaded to the chip. So it can do 1gbps fully firewall filtered. These things are cheap and should be standard in homes. And can be sent to people pre-configured. EdgeOS stays up to date also. Any router is not immune to Linux security holes like libc. I was able to do a debian package update to get the fix immediately before a firmware update.
Amazing timing! I've been running pfsense for about a year and have been planning on segmenting my network some time in the next couple weeks. Thanks for the straight forward layout and explanation! I've pointed several people towards your channel because of the fantastic way you break down complex cyber security issues.
How exactly do you save files to your NAS if you block all requests from your devices? Unless I am missing something, it seems like it wouldn't work at all......
2:21. EdgeOS can do deep packet inspection and intrusion detection but I think its resource intensive. I have to try and re-enable it again. Im not sure if it acts on a problem or just for fine grain detail of the traffic. DNSMasq filtering can be enabled on it. Meaning network wide ad and malware filter.
Thanks for this video, well explained. Just a quick question, I assume that OPT1 would contain the NAS devices, if so why would you not want the LAN segment to access the OPT1 if that's where all the data is stored? Or did I misunderstand the purpose of OPT1? Thanks
I don't get this either. If the PC Lan is not allowed to access OPT1, how are you to access or save data to your NAS units? I feel like I'm missing something basic here. Can anyone provide clarifcation?
Not just a firewall. Today I made the change from one big IoT network with firewalls, to individual subnets for IoT devices because of a google speaker flaw discovered that allowed attacks within its wireless range to install a payload that can then target devices on the network which have microphones to act as a proxy to send audio data back to attackers. So now all IoT devices have their own VLAN on my network, and the firewalls actively block internet access on each vlan that doesn't legitimately need it (lights don't for instance, just need to talk to the hub).
Awesome stuff Naomi, and just in time too... I'm just about to start installing, as soon as I figure out how to make the damn m.2 NVME drive to work, a opnsense router here.... probably works similarly to pfsense. I'd go with pfsense but it's still not compatible with the nics in my router. But it's super nice to see it explained step by step like this... major reason why I got the whole thing in the first place is because I want to isolate my NAS devices into separate networks, so couldn't ask for more.
I set up my home firewall with OpenBSD to do something similar years ago and have had no problems with it. I setup a different subnet for work that was treated as your it subnet was here, and another one for business for my own personal work, etc. I would also separate proprietary OS's and commodity hardware like IoT to restrictive networks.
I know the video is about a year old at this point, but I tumbled across it as I was pondering reworking my own home network. I get the "tiers of privacy" type structure, and when I held a lot of client information, I was very strict about it. However, once I closed my business, I became very lax about network privacy. Here's one issue I've not been able to puzzle out. TVs, and other devices typically go in the "low privacy" network as outlined in this video. Now lets say I implement a media server that streams local data over my network to my TV, my phone, etc. The phone and TV are typically on different nets. So where does the media server go? Lowest privacy network. Seems like I wouldn't want it there b/c I want to keep it a bit more secure. Do I put it on a more secure network and then create a firewall rule to allow the TV to talk to it? Seems to defeat the purpose of putting it in the higher security network. This is why I became lazy about network privacy b/c I couldn't figure this out.
I can't figure out how keeping your storage in a network that cannot be accessed by your everyday computers, such as indicated in this video, is realistic. How does having a NAS that cannot be accessed by your computer help? In this situation, it doesn't seem to help that your NAS can access your computer if contact cannot be initiated by your computer. The only thing that I can figure is that you can assign a static IP address to your computer and then have a rule that allows access from that one IP address to your NAS. But then that kind of defeats the purpose of having the NAS and your everyday computer on separate networks.
I found how Naomi is thinking of this down in the comments below. When her devices are simply being used to access the internet, and don't need the storage, they are connected to the LAN network. When she needs to access the storage, she connects her devices to the higher security storage network. The idea being that you only connect to the higher security network when you need the items on that network. Less likely to compromise your storage if you only connect when you need to I guess.
I haven't watched any of your videos yet, I just appreciate someone explaining all the hidden aspects of technology. So subscribed, and looking forward to checking you out 😎
@@NaomiBrockwellTV hi Naomi, I'm trying to setup my homelab based on your videos. I need VPN but I'm not sure which is best. -Have you heard of BytzVPN from Rob Braxman(he is into privacy like you)? Have you tested BytzVPN? -When will you post the home VPN videos?
Do you need 2 wifi routers for your LAN devices and IoT devices? Since your networks are segmented into OPT2 and LAN? And then don't you need extra ports on the back to connect them in?
How are your LAN going to access the NAS if it's blocked? That seems to defeat the purpose of NAS. Also, if I want all 3 to have wifi, that means I need 3 wifi routers right? Most IoT can only use wifi, so you definitely need one for OTP2. Same for phones on LAN. Are there no issues running that many wifi? Also, does this mean your IoT can't be controlled from your phone? I guess unless you connect to OTP2 wifi, right?
A great follow up to this would be a VLAN tutorial. No need to use the other physical interfaces on the router, but you will need a Switch, preferably a managed switch.
Great video thanks ! I have a dumb question about network isolation. If your NAS is on IOT1 how do you have access to it if not available from LAN ? As any computer or phone will be on LAN network. If anyone has answers, I will be grateful. Thanks :)
In my office I have an Ethernet cable to lan and an Ethernet cable to opt1, so when I need to access the Nas I just switch cables. I like it better than giving my computer prolonged periods of access
Or you tweak your firewall settings. You could give your Laptop an fix IP address in the LAN segment (best way is over fix DHCP lease on pfsense) and then you make a rule where this one IP address is allowed to contact only your NAS IP on the OPT1 network. Bad actors could use this "whole" in the firewall when they hacked your laptopt. But the same is true when the malware is on your laptop and you connect it with the physical cable.
If your IOT devices are on one network and your iPhone which runs their apps is on the other network, how do the apps control/get the statuses from the IOT devices? Doesn’t there need to be two way traffic between the two networks?
@@Niklas2516 Thanks Niklas. I guess for things like security or doorbell cameras, a rule would have to be created to let any messages that they initiate get through. Is that how it would work?
For those who find pfsense a bit complicated, ipfire is a great choice. I been running ipfire for many years and switched to running it on a protecli device a year ago. The bad thing about protecli though is many of their lower end devices (2 ports and 4 ports) have many hardware vulnerabilities due to the old intel chips being used. I have the 2 port version and it is plagued with hardware vulnerabilties. Ipfire has a built in checker to check for hardware vulnerabilities unlike pfsense, which is an awesome feature to inspect the hardware to ensure it is not vulnerable. I am working to look at different hardware since my current protecli i bought a year ago has to many hardware vulnerabilities on it now. If you get protecli, get coreboot bios, since all their stuff is made/flashed in china, but at least with coreboot you get opensource firmware vs who knows what extra stuff is included in the china flashed firmware.
I personally wouldn't worry about these CPU vulnerabilities unless you're worried about someone that could potentially gain physical access to your device and run code on it. It's way more of a concern for businesses than for home users. It's not like the router will just run random code off the internet.
Good, simple and clear vid. But I'd say the only thing that is not communicated here is that anything on your "untrusted" network which. while it may be blocked from your regular LAN, or whatever you configured, the devices on that network will not only be able to talk to the internet, but will also be able to talk to the other devices on that network as well. So while you can protect your regular computers on your trusted LAN network from these less trustworthy IoT devices, but this won't protect and isolate one IoT device from any other IoT device on that same network.
Naomi, I have a legit question: all of this is nice for wired devices, but what happens if I have wireless devices in many subnetworks (LAN and OPT2 in this case)? Do I need to plug in 2 different wireless routers in the "pfSense" firewall (one for LAN wireless devices and another for OPT2 wireless devices)? Also, is the firewall to be connected between the modem and a router, or the firewall must be connected downstream to a router (modem ➔ router ➔ firewall)?
The easy answer: modem -> Firewall/router. Pfsense is already a router and a firewall. You can have one Access Point but then you have to work with VLANs. Detailed answer is to complex to write here. Then you have to bind the VLANs to an inteface (lets say opt2) and then you can create a WLAN Network for each VLAN.
Wow what a crash course but excellent! Though I may have to watch the PFsense set up a few more times as I'm not getting how all my network appliances like light bulbs, plugs Alexa, ecobee etc. will be able to work off their phone apps sitting on the other network?
What about IoT devices on a separate VLAN that allows only bidirectional DNS (UDP/53 and TCP/53) and Plex (Port 36400) but not allows communication with the main VLAN? It has been discussed in a video by Crosstalk Solutions.
I appreciate you talk about Protecli, but they really need to update their hardware and purge all the old stuff that has so many vulnerable devices! For an edge router last thing you want is a vulnerable device sitting there. MMIO, Meltdown, Spectra, etc.. they are plaqued with vulnerabiltiies. To test, download and install Ipfire for free, and after installed just go to system > hardware vulnerabilties and check for yourself.
Yes in some circumstances. For example, some companies like BT will allow you to connect the firewall to their box that goes to the router. So on the WAN. You want to dump the BT router and get your own. Make sure your firewall can manage 1Gbps as a minimum. A lot of the firewalla devices are a waste of time as they restrict the connection. Many of the Mini PCs are bordering on being overloaded. You need something with 2.5Gbps ports.
This is a bit off topic but what's the point of having a NAS on a network segregated from your computers? I absolutely get and agree with the IoT rules but I'm not seeing the benefit of isolating storage. Won't this make retrieving data cumbersome? Or is the idea to have cold storage there?
The idea is both cold storage, and mitigating risk. The more active I am browsing the internet the more chance I might fall prey to phishing or be compromised in some way, if my most important devices are isolate on a separate rework it helps protect them from my mistakes. I connect my computer to their network when I want access, but don’t keep it connected otherwise.
Great video! I was following along and applying it to my Protectli device. Question - do you recommend I move my Synology NAS running Unifi for my access points to the OPT1 network? Will the NAS be able to talk to the access points on the main LAN port?
The Unifi Controller should be able to talk to your Access Points in LAN1 - The problem I see is that your Computer/Laptop on LAN1 will not connect to the NAS. Problem with this setup is that the computer, which initiates the connection to the NAS, gets blocked by the firewall rule.
Great video, thank you! I personally have a dedicated VLAN for IoT that is not connected to the main network, not connected to the guest network and have NO connection to the global internet. I can initiate connections to IoT device from my main networks, but those devices can’t initiate any connections back. And if the device does not not work without connecting to its vendor server, then sorry, but this device just doesn’t enter my home. I use OpenWrt on my router to set this stuff up.
That device is very cool and thought this would be a good WAN interface replacement for all the crap home routers out there.For network segmenting, it would need a seperate wifi access point on one the ports. . But at $219USD EdgeRouter can do the same thing. You connect Unifi on one port and ethernet network and switch on another port. Then the 3rd WAN port connects to the NBN NTD.
The EdgeRouter-X has been as low as $50 USD when introduced years ago - for some situations, the configuration of an EdgeRouter is a bit unwieldy (like the WAN and switch ports being limited to only specific interfaces, with the capabilities changing from device to device). Good for their own uses, and much better - as you say - than default provider equipment.
Ive got WAN on the ERL3 configured on port 3. ethernet network on port 1 and unifi on port 2. Its not fool proof these models though. Ive gone through 2 gens. Data is stored on a tiny thumb drive inside. its crashed before requiring console access to recover with a new image. It doesnt seem like they sell ERL3 anymore ? The X version is much cheaper but not sure its hardware acceleration. Mine runs pretty cool and 7watt also. No need for crazy heatsinks or fans.
I recently read a book about internet security, 'This is how they tell me the world ends.' If you've not read it, I can recommend it, it was really well written :)
I'm good up until 22:16. I can ping from from OPT1 to IPs on LAN but I cannot ping anything on Internet from OPT1, nor can I load web pages from Internet from OPT1 (LAN gets to Internet just fine). I can also ping my gateway IP on both OPT1 and LAN from OPT1. Anyone else run into this? How did you get your OPT1 network to access Internet? Thanks.
Great video but two important questions here: 1) Why not setup VLANs instead of assigning new static IPs for the different Ethernet ports? 2) How do I keep IoT devices from access to the internet? (I have lights and maybe weather gauge that I don't want to see the light of day from the internet.) Thanks, Naomi.
1) Yes you can do VLANs with pfSense but this video is intended to give some easy to follow instructions for a very broad audience including many people who don't need or don't want the added complexity of VLANs. Adding VLAns into the mix would just be very confusing to many people and put up unnecessary barriers in an effort to set up a firewall/router. Moreover, depending on your network you might need a managed switch to make use of VLAN, which adds another source of extra cost and complexity. 2) Many ways to do that, I guess. Perhaps the easiest is to create a firewall rule which blocks all traffic from the IOT subnet (the "192 .168.138.0/24" in the video) to it's gateway address ("192 .168.138.1"). Now nothing can get out to the internet. But this also means you'll lose connection to services you might need, like an NTP server for example. In that case you need to create more firewall rules to allow access to the services you want to keep access to.
14:20 - Will Chromecast still work out of the box with this siloing? I would have expected the device I want to cast to has to be on the same network than my phone or computer before they can be aware of these castable devices? How about DLNA? Will my LAN devices (automatically) see DLNA server if it is in OPT2 network? Within the same network all of this works automatically whenever such services are up and running. Can siloing ruin this ease of use?
Out of the box, no. But you definitely can set it up to permit the necessary multicast packets to be forwarded to the trusted network, allowing casting. I've had my iot devices siloed for a few years now, but my Chromecast still works as intended.
Great video. But what about security cameras and an NVR. Those devices should be able to be accessed from the NVR, but they should not be able to access the internet or any other device. Also, I like MAC address filtering and static IPs on IoT devices, even devices on a LAN. Without this, an IoT device can masquerade as other MACs it has seen on the network (if it has a promiscuous mode NIC) to try to find a way out of its firewalled cage. Pentest device try to do this. Any IoT device could potentially have pentest code in them, hidden, waiting to pounce.
"...and static IPs on IoT devices, even devices on a LAN." Reserved IPs - or Static Address Mapping - to give a device an address when you can't set it otherwise. Be aware that things like Android phones are now defaulted to randomize the MAC address. I use static mapping on every owned network device that I can, leaving a small DHCP pool where guest devices end up (preferably on a DMZ network).
Naomi... Google (Chromium), Brave (Chromium), and very possibly Firefox (Mozilla) are discontinuing updates for their web browsers for Windows 7 and 8.1. Besides updating their OS, what can Windows 7 and 8.1. users do as far as having the most secure, privacy centered, internet compatible web browser and which one would it be with Brave (for example) off of the table? What do you recommend? Thanks!
I might not have understood the network topology very well. The opt1 (which is the safest level), the devices NAS looks like only have firewall rules out to the internet. Both LAN and opt2 network will not be able to access it which seems problematic. Does it mean for laptops to access files stored in the NAS, I have to add specific rule for e.g. CIFS between LAN and opt1 networks? And for an IOT TV device on opt2 network to watch video stored in the NAS, a firewall rule to allow RTSP, SRT between opt2 and LAN is necessary? This is getting pretty complicated... Comments appreciated. (Perhaps I should wait for the 3rd episode?) Thanks for providing this great resource to the community.
I’d really appreciate a version of this that covers how to handle this for Ubiquiti gear. I’ve also had siloed lans before but found that it broke functionality for devices and ended up surrendering my privacy and safety for convenience. I’d prefer to have both safety and security and convenience but I’m not skilled enough to figure out how to make that happen.
Ok so what happens while you are setting this up? Does everything stop working for awhile until everything is setup? What do I do for guests? I'm assuming I would put my main desktop on OPT1, my laptop on OPT1, would I put my iPad on OPT1? Most of my IoT devices in my apartment are lights, outlets, and Alexa controlled devices. Do the Alexa/Echo devices (Echo Show, Echo Dot) belong on the OPT2 network? I'm afraid doing this will cause confusion.
After segenting the network, should the switch connected to each port be vlan aware (or managed) to avoid loosing the vlan tags or is it a different topic?
Network can be segmented by Firewall or via vlans or a combination of both. Vlan is a layer 2 level segmentation , where as Firewall is a layer 3 segmentation.
This could make it a nightmare to control devices in opt2 for example... Now you can't scan for these devices, cameras in this space can't write to a local ftp server, upnp will be quite broken... I see difficulties resolving all of this...
You can actually just setup a trunked uplink and virtual interfaces for VLANs and only use 1 port. Using the OPT aka OPTIONAL ports are better suited to manage additional switches, for those of us that have over-provisioned switches. Great video though!
Geez this is super detailed. You need pro routers for this like Edgerouter Lite 3. $150 AUD ! the best router. Going to go through it. I presume you mean a VLAN. Solar meter monitoring needs this ! Its a backdoor to the local network if using wifi. Try to not use wifi with IOT ! Half the time they dont need to be on the local network and connected. My Dishwasher may never get a Linux software update and full of security holes. I disabled the wifi crap immediately.
What video do I need to watch to set up PFsense? I'm so confused, I've watched 5 different videos and each time it says go to this other video and it still doesn't explain what to do!
So I got to the step to copy allow rule to both OPT1 and OPT2, however after testing it, I cannot traffic between LAN and OPT1 and OPT2. I have not setup any block rule yet, am I missing something? I can ping the IP address but cannot access devices across.
Wow what a fantastic video. Really nicely done. Good picture / sound, story and illustrated my compliments. I could really use this refresher course for my concerns about my new smart home. Only why not with Mikrotik routers (RouterOS) 😭😭😭😭😭🤪😜🙃😋. Some things work just a little differently there. And one more small point, but not too unimportant. On which lan would you place the cameras. My feeling says the safest side, but it remains a Smart product. And now to be Big Brother house for the whole neighborhood while you're horseback riding with a woman. (At least as soon as I have it again. Prepared person counts for two, they say 🤣🤣🤣🤣)
I like it but now 😅 have to go back to college to setup my network. is there not already some AI that can diagnose my current network and set up these rules?
I don't understand how the relationship between LAN and OPT1 is supposed to work. If I've got a NAS on OPT1 and I want to transfer back up files to it, how does that work if connection to it is blocked? What if I serving up media for Plex or Jellyfin from the NAS?
Appreciat the work you do. Router settings are so difficult, I wanted to use my VPN service with my DNS service and having smart devices on top of that is messy. So I just gave up 🙈
The only thing I have hard time understanding, what happens if you want to access the NAS from your computer, the network LAN is not able to talk to the OPT1 only OPT1 can talk to LAN.... how you upload data onto your NAS?
Interesting presentation. My simple TP-Link router can create three wifi SSIDs which, along with 4 ethernet ports can be grouped into various combinations. Nowhere near as elaborate as your presentation but not bad either.
Until they become more secure, people need to just stop using devices unnecessarily connected to the internet. Why do we need our washer/dryer to text us it’s finished? I used a NEST thermostat for a while, but I never really noticed the savings it was supposed to bring. It was just neat for a while cuz it seemed so “high-tech”. There are rolling dark web sites where you can browse peoples live doorbell cameras, as well as INDOOR security camera feeds. For the moment, IOT is just a security nightmare. While everything connected at all times, is likely the future with iot, we don’t need to rush so fast into it.
are there any 3rd party products or services that can do this for me? I like security but having to do all this myself seems very insecure because it puts all the responsibility on me and I am not a security expert
Wow! Naomi took Russian Voice lessons!🤣😂👍👍👍 We want more, more more!
Naomi will never stop being great.
I love it that you are bringing PFsense to the common people !
Nice video. I have 2 questions:
1. Can you give examples of devices that would go on OPT1? You mention file storage, but I want my computers to be able to access NAS.
2. I use a mesh wifi, I don't want one AP per logical network. Can it be setup to assign a new device by default to OPT2 and then manually move it to LAN as required?
I have the same question too. I'm working on setting up a NAS and if I put it on OPT1 as described, how would I ever save files to it?
dealing with the same. how should i connect to my data in opt?
There are some alternatives;
1. You use dedicated computer(s) for OPT1, in the OPT1, apart from computers in the LAN. (Minimum convenience! Maximum security!, There is a tradeoff...)
2. You create some firewall rules which are port based or application based and only allow some specific computers in the LAN to access to the storage in the OPT1. This is less secure way than the 1st topic I wrote. You can not manage those rules in the consumer routers. You need a pfsense or opnsense etc. (More convenience but less security! But it's still secure... )
I didn’t do it like above.
I created LAN, IoT network, Guest Network, Kid’s Network.
So I merged the Storage and Daily Usage networks into the LAN. I hardened it, and only hardened Mac Computers, iOS and iPadOS devices can run in the LAN. Of course NAS and data storage systems as well...
LAN network, can not access to the IoT network despite suggestion in the video and also IoT network can not access to the LAN network in my case. I mean, it's definitely no connection between LAN and IoT networks. I totally restricted the two way traffic. Ex: my iPhone in the LAN can not access to the Apple TV 4K Box (Hub for IoT devices) in the IoT network. It’s also same for the Apple TV 4K Box as well, so it can not access to my iPad, iPhones, computers. I manage all IoT devices and hub (Apple TV 4K Box) with my iPhone but it’s not being done through my local network. I manage them thru iCloud+ internet connection, so Apple TV connects to the iCloud+ thru dedicated IoT internet connection of the IoT network AND my iPhone in my highly secure LAN connects to the iCloud+ thru secure internet connection of the LAN with the same Apple ID. Then I can manage everything in the IoT network seamlessly. That’s more secure solution in my case.
From the early days with Leo Laport on Tech TV to now. You are the first person to make me feel the urge to step up my security.
I've met Leo (and his wife) in person - A neat guy!
right! with his buddy John C. Devorak on the SecurityNow podcast. I learned so much more about security than I ever would have in the early 2000's
I will forever imagine my firewall as a Russian bouncer
Best analogy Ever 🎉😂
😂!
That is exactly what AdGuardHome is ! I run it on my RaspberryPi as I found PiHole was that bad it used to fail regularly and eat SD Cards due to poor programming. The developers don't know how to incorporate DoH or DoT which means using the Cloudflared program. It is unfortunate PiVPN developers don't know how to make their program work with anything other than PiHole, they are not able to make it work with AdGuardHome which is unfortunate.
It doesn't give me much confidence that any of them know what they are doing or if we can rely on it if they don't know how to make their software perform certain functions or even listen to their supporters.
Da.
Mine has a New York mafioso type accent. Not sure why but he just showed up one day telling me I was “under his protection”…
This is probably one of the most important videos I've seen on this channel. Very well explained and presented. Excellent work Naomi.
My first lesson in firewalls was when I learned about port forwarding. That broke the door open and helped me understand the small bump in speed for some devices isn't worth the risk. I need to check out that pfsense.
Naomi's Russian accent is the best firewall anyone could wish for!
0:55 Alot of home routers have "low firewall settings" enabled by default. So that means its not filtering packets. They would fall over doing so. Edgerouter Lite 3 has hardware acceleration on a chip for routing. The configs get uploaded to the chip. So it can do 1gbps fully firewall filtered. These things are cheap and should be standard in homes. And can be sent to people pre-configured. EdgeOS stays up to date also. Any router is not immune to Linux security holes like libc. I was able to do a debian package update to get the fix immediately before a firmware update.
I run pfSense on my main connections, but also use Ubiquiti EdgeRouters for lesser connections...
Amazing timing! I've been running pfsense for about a year and have been planning on segmenting my network some time in the next couple weeks. Thanks for the straight forward layout and explanation!
I've pointed several people towards your channel because of the fantastic way you break down complex cyber security issues.
Nice vid, I learned loads.
I don’t know much about pfSense, as I’ve only been on OpenWRT for a couple years.
How exactly do you save files to your NAS if you block all requests from your devices? Unless I am missing something, it seems like it wouldn't work at all......
Setup rule to allow said device to nas
Thank you, I will try some of the fw rules. Very good explanations.
2:21. EdgeOS can do deep packet inspection and intrusion detection but I think its resource intensive. I have to try and re-enable it again. Im not sure if it acts on a problem or just for fine grain detail of the traffic. DNSMasq filtering can be enabled on it. Meaning network wide ad and malware filter.
Thanks for this video, well explained. Just a quick question, I assume that OPT1 would contain the NAS devices, if so why would you not want the LAN segment to access the OPT1 if that's where all the data is stored? Or did I misunderstand the purpose of OPT1? Thanks
I don't get this either. If the PC Lan is not allowed to access OPT1, how are you to access or save data to your NAS units? I feel like I'm missing something basic here. Can anyone provide clarifcation?
Not just a firewall. Today I made the change from one big IoT network with firewalls, to individual subnets for IoT devices because of a google speaker flaw discovered that allowed attacks within its wireless range to install a payload that can then target devices on the network which have microphones to act as a proxy to send audio data back to attackers. So now all IoT devices have their own VLAN on my network, and the firewalls actively block internet access on each vlan that doesn't legitimately need it (lights don't for instance, just need to talk to the hub).
this is probably why my boundaries are always being broken nosy people thank you for this upload
The intro of this video educational and also the step by step guide of setting up a more secure network at home with IoT devices
Awesome stuff Naomi, and just in time too...
I'm just about to start installing, as soon as I figure out how to make the damn m.2 NVME drive to work, a opnsense router here.... probably works similarly to pfsense.
I'd go with pfsense but it's still not compatible with the nics in my router.
But it's super nice to see it explained step by step like this... major reason why I got the whole thing in the first place is because I want to isolate my NAS devices into separate networks, so couldn't ask for more.
Really detailed setup video, thanks!
Naomi u r a genius!!!!!! Just received the protectli. Will try to set it up this weekend
Start with the first video! th-cam.com/video/QPCbri1EJ8U/w-d-xo.html
I set up my home firewall with OpenBSD to do something similar years ago and have had no problems with it. I setup a different subnet for work that was treated as your it subnet was here, and another one for business for my own personal work, etc. I would also separate proprietary OS's and commodity hardware like IoT to restrictive networks.
I know the video is about a year old at this point, but I tumbled across it as I was pondering reworking my own home network. I get the "tiers of privacy" type structure, and when I held a lot of client information, I was very strict about it. However, once I closed my business, I became very lax about network privacy. Here's one issue I've not been able to puzzle out. TVs, and other devices typically go in the "low privacy" network as outlined in this video. Now lets say I implement a media server that streams local data over my network to my TV, my phone, etc. The phone and TV are typically on different nets. So where does the media server go? Lowest privacy network. Seems like I wouldn't want it there b/c I want to keep it a bit more secure. Do I put it on a more secure network and then create a firewall rule to allow the TV to talk to it? Seems to defeat the purpose of putting it in the higher security network. This is why I became lazy about network privacy b/c I couldn't figure this out.
This is exactly what I'm wondering too at this point
I can't figure out how keeping your storage in a network that cannot be accessed by your everyday computers, such as indicated in this video, is realistic. How does having a NAS that cannot be accessed by your computer help? In this situation, it doesn't seem to help that your NAS can access your computer if contact cannot be initiated by your computer. The only thing that I can figure is that you can assign a static IP address to your computer and then have a rule that allows access from that one IP address to your NAS. But then that kind of defeats the purpose of having the NAS and your everyday computer on separate networks.
I found how Naomi is thinking of this down in the comments below. When her devices are simply being used to access the internet, and don't need the storage, they are connected to the LAN network. When she needs to access the storage, she connects her devices to the higher security storage network. The idea being that you only connect to the higher security network when you need the items on that network. Less likely to compromise your storage if you only connect when you need to I guess.
I haven't watched any of your videos yet, I just appreciate someone explaining all the hidden aspects of technology. So subscribed, and looking forward to checking you out 😎
Thanks for being here!
@@NaomiBrockwellTV hi Naomi, I'm trying to setup my homelab based on your videos. I need VPN but I'm not sure which is best.
-Have you heard of BytzVPN from Rob Braxman(he is into privacy like you)? Have you tested BytzVPN?
-When will you post the home VPN videos?
Excellent series on securing at home. I did something similar about a year ago and picked up multiple extra steps from this.
Subbed with gratitude. 😀
🙏
Do you need 2 wifi routers for your LAN devices and IoT devices? Since your networks are segmented into OPT2 and LAN? And then don't you need extra ports on the back to connect them in?
No, as long as your Wi-Fi router supports 802.1Q you'll only need one.
Just watched you on David Bombals channel. Oh God, I think I'm going love your channel!!!! Haha great skits and very informative.
Welcome!
How are your LAN going to access the NAS if it's blocked? That seems to defeat the purpose of NAS.
Also, if I want all 3 to have wifi, that means I need 3 wifi routers right? Most IoT can only use wifi, so you definitely need one for OTP2. Same for phones on LAN. Are there no issues running that many wifi?
Also, does this mean your IoT can't be controlled from your phone? I guess unless you connect to OTP2 wifi, right?
11:20 lacks secure DNS SEC option, which would help a bit from external damage.
A great follow up to this would be a VLAN tutorial. No need to use the other physical interfaces on the router, but you will need a Switch, preferably a managed switch.
Great video thanks !
I have a dumb question about network isolation. If your NAS is on IOT1 how do you have access to it if not available from LAN ? As any computer or phone will be on LAN network.
If anyone has answers, I will be grateful. Thanks :)
In my office I have an Ethernet cable to lan and an Ethernet cable to opt1, so when I need to access the Nas I just switch cables. I like it better than giving my computer prolonged periods of access
@@NaomiBrockwellTV Oh yeah I didn't see that way, easy fix, thank you for the tip
Or you tweak your firewall settings. You could give your Laptop an fix IP address in the LAN segment (best way is over fix DHCP lease on pfsense) and then you make a rule where this one IP address is allowed to contact only your NAS IP on the OPT1 network. Bad actors could use this "whole" in the firewall when they hacked your laptopt. But the same is true when the malware is on your laptop and you connect it with the physical cable.
@@tomRX4878"hole", but otherwise, thank you for the response.
Amazing! As always. Thanks so much team!
Very interresting and well explained. Can you segment the home network on the 2 port? Do you need a separate AP for each segment?
If your IOT devices are on one network and your iPhone which runs their apps is on the other network, how do the apps control/get the statuses from the IOT devices? Doesn’t there need to be two way traffic between the two networks?
@@Niklas2516 Thanks Niklas. I guess for things like security or doorbell cameras, a rule would have to be created to let any messages that they initiate get through. Is that how it would work?
@@Niklas2516 got it. That would explain why a lot of things stop working if you lose your Internet. Thanks again.
Sorry for going of topic....... can we get a better look at those vintage style modern posters? They look dope, despite not beeing seen that good :D
So would a guest network on a router be similar to having 3:55 these rules if you can’t create VLANs with your router?
A guest network is a good way to segment networks
For those who find pfsense a bit complicated, ipfire is a great choice. I been running ipfire for many years and switched to running it on a protecli device a year ago. The bad thing about protecli though is many of their lower end devices (2 ports and 4 ports) have many hardware vulnerabilities due to the old intel chips being used. I have the 2 port version and it is plagued with hardware vulnerabilties. Ipfire has a built in checker to check for hardware vulnerabilities unlike pfsense, which is an awesome feature to inspect the hardware to ensure it is not vulnerable. I am working to look at different hardware since my current protecli i bought a year ago has to many hardware vulnerabilities on it now. If you get protecli, get coreboot bios, since all their stuff is made/flashed in china, but at least with coreboot you get opensource firmware vs who knows what extra stuff is included in the china flashed firmware.
I personally wouldn't worry about these CPU vulnerabilities unless you're worried about someone that could potentially gain physical access to your device and run code on it. It's way more of a concern for businesses than for home users. It's not like the router will just run random code off the internet.
I think ipfire uses SPI noh DPI. There's tshark in add ons, but I'm not sure how else to add DPI.
Good, simple and clear vid. But I'd say the only thing that is not communicated here is that anything on your "untrusted" network which. while it may be blocked from your regular LAN, or whatever you configured, the devices on that network will not only be able to talk to the internet, but will also be able to talk to the other devices on that network as well.
So while you can protect your regular computers on your trusted LAN network from these less trustworthy IoT devices, but this won't protect and isolate one IoT device from any other IoT device on that same network.
Great point to mention, for sure
Naomi, I have a legit question: all of this is nice for wired devices, but what happens if I have wireless devices in many subnetworks (LAN and OPT2 in this case)? Do I need to plug in 2 different wireless routers in the "pfSense" firewall (one for LAN wireless devices and another for OPT2 wireless devices)? Also, is the firewall to be connected between the modem and a router, or the firewall must be connected downstream to a router (modem ➔ router ➔ firewall)?
The easy answer: modem -> Firewall/router. Pfsense is already a router and a firewall.
You can have one Access Point but then you have to work with VLANs. Detailed answer is to complex to write here. Then you have to bind the VLANs to an inteface (lets say opt2) and then you can create a WLAN Network for each VLAN.
Wow what a crash course but excellent! Though I may have to watch the PFsense set up a few more times as I'm not getting how all my network appliances like light bulbs, plugs Alexa, ecobee etc. will be able to work off their phone apps sitting on the other network?
this amazing video is like a training to safer LAN... hardening firewalls and vlans with pfSense is best way
What about IoT devices on a separate VLAN that allows only bidirectional DNS (UDP/53 and TCP/53) and Plex (Port 36400) but not allows communication with the main VLAN? It has been discussed in a video by Crosstalk Solutions.
Hmmm... I can't seem to find that video. Love to have pointer.
Would love your thoughts on Apple adding End to End Encryption!
That’s our next video :) next week
Thank you for having LBRY links in your description!
I appreciate you talk about Protecli, but they really need to update their hardware and purge all the old stuff that has so many vulnerable devices! For an edge router last thing you want is a vulnerable device sitting there. MMIO, Meltdown, Spectra, etc.. they are plaqued with vulnerabiltiies. To test, download and install Ipfire for free, and after installed just go to system > hardware vulnerabilties and check for yourself.
What if my ISP is providing me an integrated modem/router and so I dont have my own separate router? Can I still use a PFsense device?
Yes in some circumstances. For example, some companies like BT will allow you to connect the firewall to their box that goes to the router. So on the WAN.
You want to dump the BT router and get your own. Make sure your firewall can manage 1Gbps as a minimum.
A lot of the firewalla devices are a waste of time as they restrict the connection. Many of the Mini PCs are bordering on being overloaded. You need something with 2.5Gbps ports.
Great Information. Thanks for sharing
Very interesting. Which risk category would you place PlayStations and X-Boxes in?
This is a bit off topic but what's the point of having a NAS on a network segregated from your computers? I absolutely get and agree with the IoT rules but I'm not seeing the benefit of isolating storage. Won't this make retrieving data cumbersome? Or is the idea to have cold storage there?
The idea is both cold storage, and mitigating risk. The more active I am browsing the internet the more chance I might fall prey to phishing or be compromised in some way, if my most important devices are isolate on a separate rework it helps protect them from my mistakes. I connect my computer to their network when I want access, but don’t keep it connected otherwise.
Great video! I was following along and applying it to my Protectli device. Question - do you recommend I move my Synology NAS running Unifi for my access points to the OPT1 network? Will the NAS be able to talk to the access points on the main LAN port?
The Unifi Controller should be able to talk to your Access Points in LAN1 - The problem I see is that your Computer/Laptop on LAN1 will not connect to the NAS. Problem with this setup is that the computer, which initiates the connection to the NAS, gets blocked by the firewall rule.
Great video, thank you! I personally have a dedicated VLAN for IoT that is not connected to the main network, not connected to the guest network and have NO connection to the global internet. I can initiate connections to IoT device from my main networks, but those devices can’t initiate any connections back. And if the device does not not work without connecting to its vendor server, then sorry, but this device just doesn’t enter my home. I use OpenWrt on my router to set this stuff up.
That device is very cool and thought this would be a good WAN interface replacement for all the crap home routers out there.For network segmenting, it would need a seperate wifi access point on one the ports. . But at $219USD EdgeRouter can do the same thing. You connect Unifi on one port and ethernet network and switch on another port. Then the 3rd WAN port connects to the NBN NTD.
The EdgeRouter-X has been as low as $50 USD when introduced years ago - for some situations, the configuration of an EdgeRouter is a bit unwieldy (like the WAN and switch ports being limited to only specific interfaces, with the capabilities changing from device to device). Good for their own uses, and much better - as you say - than default provider equipment.
Ive got WAN on the ERL3 configured on port 3. ethernet network on port 1 and unifi on port 2. Its not fool proof these models though. Ive gone through 2 gens. Data is stored on a tiny thumb drive inside. its crashed before requiring console access to recover with a new image. It doesnt seem like they sell ERL3 anymore ? The X version is much cheaper but not sure its hardware acceleration. Mine runs pretty cool and 7watt also. No need for crazy heatsinks or fans.
I recently read a book about internet security, 'This is how they tell me the world ends.' If you've not read it, I can recommend it, it was really well written :)
Oh I heard that recommended on darknet diaries, been meaning to check it out!
how may i get a copy on amazon?
I'm good up until 22:16. I can ping from from OPT1 to IPs on LAN but I cannot ping anything on Internet from OPT1, nor can I load web pages from Internet from OPT1 (LAN gets to Internet just fine). I can also ping my gateway IP on both OPT1 and LAN from OPT1. Anyone else run into this? How did you get your OPT1 network to access Internet? Thanks.
Great video but two important questions here: 1) Why not setup VLANs instead of assigning new static IPs for the different Ethernet ports? 2) How do I keep IoT devices from access to the internet? (I have lights and maybe weather gauge that I don't want to see the light of day from the internet.) Thanks, Naomi.
1) Yes you can do VLANs with pfSense but this video is intended to give some easy to follow instructions for a very broad audience including many people who don't need or don't want the added complexity of VLANs. Adding VLAns into the mix would just be very confusing to many people and put up unnecessary barriers in an effort to set up a firewall/router. Moreover, depending on your network you might need a managed switch to make use of VLAN, which adds another source of extra cost and complexity.
2) Many ways to do that, I guess. Perhaps the easiest is to create a firewall rule which blocks all traffic from the IOT subnet (the "192 .168.138.0/24" in the video) to it's gateway address ("192 .168.138.1"). Now nothing can get out to the internet. But this also means you'll lose connection to services you might need, like an NTP server for example. In that case you need to create more firewall rules to allow access to the services you want to keep access to.
14:20 - Will Chromecast still work out of the box with this siloing? I would have expected the device I want to cast to has to be on the same network than my phone or computer before they can be aware of these castable devices?
How about DLNA? Will my LAN devices (automatically) see DLNA server if it is in OPT2 network? Within the same network all of this works automatically whenever such services are up and running. Can siloing ruin this ease of use?
Out of the box, no. But you definitely can set it up to permit the necessary multicast packets to be forwarded to the trusted network, allowing casting. I've had my iot devices siloed for a few years now, but my Chromecast still works as intended.
Great video. But what about security cameras and an NVR. Those devices should be able to be accessed from the NVR, but they should not be able to access the internet or any other device.
Also, I like MAC address filtering and static IPs on IoT devices, even devices on a LAN. Without this, an IoT device can masquerade as other MACs it has seen on the network (if it has a promiscuous mode NIC) to try to find a way out of its firewalled cage. Pentest device try to do this. Any IoT device could potentially have pentest code in them, hidden, waiting to pounce.
"...and static IPs on IoT devices, even devices on a LAN."
Reserved IPs - or Static Address Mapping - to give a device an address when you can't set it otherwise. Be aware that things like Android phones are now defaulted to randomize the MAC address. I use static mapping on every owned network device that I can, leaving a small DHCP pool where guest devices end up (preferably on a DMZ network).
Does pfsense come with Deep Packet Inspection by default?
Naomi... Google (Chromium), Brave (Chromium), and very possibly Firefox (Mozilla) are discontinuing updates for their web browsers for Windows 7 and 8.1. Besides updating their OS, what can Windows 7 and 8.1. users do as far as having the most secure, privacy centered, internet compatible web browser and which one would it be with Brave (for example) off of the table? What do you recommend? Thanks!
@Fluffy Hamster Which one?
I might not have understood the network topology very well. The opt1 (which is the safest level), the devices NAS looks like only have firewall rules out to the internet. Both LAN and opt2 network will not be able to access it which seems problematic.
Does it mean for laptops to access files stored in the NAS, I have to add specific rule for e.g. CIFS between LAN and opt1 networks? And for an IOT TV device on opt2 network to watch video stored in the NAS, a firewall rule to allow RTSP, SRT between opt2 and LAN is necessary? This is getting pretty complicated... Comments appreciated. (Perhaps I should wait for the 3rd episode?) Thanks for providing this great resource to the community.
I’d really appreciate a version of this that covers how to handle this for Ubiquiti gear. I’ve also had siloed lans before but found that it broke functionality for devices and ended up surrendering my privacy and safety for convenience. I’d prefer to have both safety and security and convenience but I’m not skilled enough to figure out how to make that happen.
Ok so what happens while you are setting this up? Does everything stop working for awhile until everything is setup?
What do I do for guests?
I'm assuming I would put my main desktop on OPT1, my laptop on OPT1, would I put my iPad on OPT1?
Most of my IoT devices in my apartment are lights, outlets, and Alexa controlled devices. Do the Alexa/Echo devices (Echo Show, Echo Dot) belong on the OPT2 network?
I'm afraid doing this will cause confusion.
Great video ... AND made me smile 😊
In this case you need more than 1 AP in a home, it abit annoying. It's there anyother way working with just on port and by IP address?
Very informative video, thank you.
After segenting the network, should the switch connected to each port be vlan aware (or managed) to avoid loosing the vlan tags or is it a different topic?
Network can be segmented by Firewall or via vlans or a combination of both.
Vlan is a layer 2 level segmentation , where as Firewall is a layer 3 segmentation.
Great video. When is the video 3 in the series going up?
Early next year!
Newb question. If I can't access my NAS on OPT1 from my desktop on LAN or my TV on OPT2, then how do I access my files/media?
If you wanted Wi-Fi for these 3 networks, would you need 3 different APs? When would you want to use VLANs instead of creating a new network?
You could either have 3 different APs, or you could segment your networks using VLANs instead, both work!
This could make it a nightmare to control devices in opt2 for example... Now you can't scan for these devices, cameras in this space can't write to a local ftp server, upnp will be quite broken... I see difficulties resolving all of this...
What about setting up multiple wireless networks on APs instead of setting up multiple wired networks on the router?
You can actually just setup a trunked uplink and virtual interfaces for VLANs and only use 1 port. Using the OPT aka OPTIONAL ports are better suited to manage additional switches, for those of us that have over-provisioned switches.
Great video though!
Naomi, 👍👍 great video content very informative with great humour.
Can you recommend a no root firewall for mobile devices?
Geez this is super detailed. You need pro routers for this like Edgerouter Lite 3. $150 AUD ! the best router. Going to go through it. I presume you mean a VLAN. Solar meter monitoring needs this ! Its a backdoor to the local network if using wifi. Try to not use wifi with IOT ! Half the time they dont need to be on the local network and connected. My Dishwasher may never get a Linux software update and full of security holes. I disabled the wifi crap immediately.
What video do I need to watch to set up PFsense? I'm so confused, I've watched 5 different videos and each time it says go to this other video and it still doesn't explain what to do!
👍👍- Great vid. Thanks Naomi.
So I got to the step to copy allow rule to both OPT1 and OPT2, however after testing it, I cannot traffic between LAN and OPT1 and OPT2. I have not setup any block rule yet, am I missing something? I can ping the IP address but cannot access devices across.
Wow what a fantastic video. Really nicely done. Good picture / sound, story and illustrated my compliments. I could really use this refresher course for my concerns about my new smart home. Only why not with Mikrotik routers (RouterOS) 😭😭😭😭😭🤪😜🙃😋. Some things work just a little differently there. And one more small point, but not too unimportant. On which lan would you place the cameras. My feeling says the safest side, but it remains a Smart product. And now to be Big Brother house for the whole neighborhood while you're horseback riding with a woman. (At least as soon as I have it again. Prepared person counts for two, they say 🤣🤣🤣🤣)
I like it
but now 😅 have to go back to college to setup my network.
is there not already some AI that can diagnose my current network and set up these rules?
Would be cool to access the config of pfsense only on the same device you are running it .
Still waiting for best password manager really need one and don't know what to choose
In the works for early next year! But tldr, bitwarden, or if you're really private and don't mind inconvenience, keepassxc offline
Does anyone know if its possible to maintain mesh network functionality while putting the router in AP mode? I have asus routers that use ai-mesh
How about connecting IOT devices to guests WiFi network?
So one wireless access point for LAN and IOT? and therefore two APs?
That’s one solution. Another is VLANs and creating separate networks in the same AP, which we haven’t talked about yet
This is great Naomi.
Very helpful! Thank you.
Glad it was helpful!
I don't understand how the relationship between LAN and OPT1 is supposed to work. If I've got a NAS on OPT1 and I want to transfer back up files to it, how does that work if connection to it is blocked? What if I serving up media for Plex or Jellyfin from the NAS?
Appreciat the work you do.
Router settings are so difficult, I wanted to use my VPN service with my DNS service and having smart devices on top of that is messy. So I just gave up 🙈
We’ll be doing dns and vps in an upcoming video!
I was trying to follow along, but I'm missing the steps to set the WAN firewall rules.
Can we get a video about wifi extenders or mesh wifi? Thank you 😊
A really great video.
Thank you.
awesome content Naomi!
🙏
The only thing I have hard time understanding, what happens if you want to access the NAS from your computer, the network LAN is not able to talk to the OPT1 only OPT1 can talk to LAN.... how you upload data onto your NAS?
If I change my Windows os to a more private one, will I still be able download crypto apps like ledger live ?
Love your stuff by the way!
Interesting presentation. My simple TP-Link router can create three wifi SSIDs which, along with 4 ethernet ports can be grouped into various combinations. Nowhere near as elaborate as your presentation but not bad either.
Those SSIDs are probably overlapping on the same channels...
@@IBM_Museum They are.
Until they become more secure, people need to just stop using devices unnecessarily connected to the internet.
Why do we need our washer/dryer to text us it’s finished? I used a NEST thermostat for a while, but I never really noticed the savings it was supposed to bring. It was just neat for a while cuz it seemed so “high-tech”.
There are rolling dark web sites where you can browse peoples live doorbell cameras, as well as INDOOR security camera feeds.
For the moment, IOT is just a security nightmare. While everything connected at all times, is likely the future with iot, we don’t need to rush so fast into it.
Deep diving. I like it :)
are there any 3rd party products or services that can do this for me? I like security but having to do all this myself seems very insecure because it puts all the responsibility on me and I am not a security expert
It is indeed difficult stuff to understand. An easy solution is setting up a guest network, do you know how to make one of those?