Pfsense router/setup advice

[joeschmuck]

SSL is not security against attack, it's just encryption.

I took this as good information myself. I saw nothing implying it was offensive.

 

[danb35]

I am not sure what your intention is, but posts like these are not rlly of any help tbh.

Yeah, they are, even if you don't understand why yet. TLS is important, and you certainly should be implementing it on anything going over a public network that uses sensitive information (which, really, is just about everything). But it doesn't substitute for securing the software itself. And on that subject, at this point, you just don't know what you don't know.

Edit: On a perhaps-more-encouraging note, if you only forward ports 80 and 443 to that jail, you've greatly limited your exposure--that brings your attack surface down to the web server software itself, PHP, and Nextcloud. You'd still want to investigate securing those, but you don't need to be worried about, for example, FTP vulnerabilities.

 

[farmerpling2]

...
I am not sure what your intention is, but posts like these are not rlly of any help tbh. Ofcourse it's always good to criticize certain statement, but besides that pointing me towards certain techniques/recourses (which i asked for in my post) you consider a must or experienced urself by trial/error would actually be helpfull for me/others.

I had the same reaction as Jailer. Surprise, sprinkled with a little, "Really?" Having a firewall helps protect you from accidents. I am a full believer in having as much "GOOD" security protection as possible. pfSense is cheap security in the big picture. How often do we hear about a package/protocol is/has been hackable.

I would never run without a firewall, no matter how safe I think my environment is, I would kindly suggest you think about going that way also.

Cheers!

 

[Yakje]

FWIW, I have been very happy with passwordless SSH connections that tunnel whatever I want. The tunnels protect the payload, and keys that are more than 1000 bits long are hard to crack. Combine passwordless approaches with auto-blocking (i.e. longer and longer delays between login attempts) and its pretty secure.

One downside is that you have to know which TCP/IP ports to forward. Another is that some places block SSH connections.

That said, if I were to put a FreeNAS accessible by the internet, it would be considered a burner, i.e. not the primary one. I'd keep it separate from the home LAN.

SSH is definitely an option i have considered as well and i am actually already using it to access my files through "SFTP". Using a VPN instead of SSH, just seems a little more convenient for me. Regarding the fact i also want to be able to bypass GEO restrictions.

Separating for example the Pfsense box from my FreeNAS box is definitely something i would do, i don't like the idea of running Pfsense as a jail in FreeNAS tbh, since they have completely different purposes.

Like I stated before what you are asking is beyond the scope of this forum. Hardening an internet facing web stack or application is not just a "tutorial" someone can point you to. You'll have to research that on your own and learn for yourself how to do that.

My statements were not meant to offend but they are still true. As I said SSL is not "security" it's just an encrypted connection. SSL alone does not prevent bad actors from attacking and owning any web facing application you may have.

I am aware most of my questions are off-topic/not directly related to FreeNAS, although will probably benefit other FreeNAS users as well. Since you seem to have knowledge of hardening the security regarding remote access, i simply ask you to share this knowledge? I assume you know of methods you have used in the past or are currently using, which might be interesting for me to look at? I also understand this won't just be a simple tutorial.

As for the SSL part, you made it clear it's an encryption layer which does not provide "security". ;)

I took this as good information myself. I saw nothing implying it was offensive.

I never said anything about it being offensive and i don't take it as such either. Not being a native English speaker might be the bottleneck here :p I am not here to argue, im here to learn.

Yeah, they are, even if you don't understand why yet. TLS is important, and you certainly should be implementing it on anything going over a public network that uses sensitive information (which, really, is just about everything). But it doesn't substitute for securing the software itself. And on that subject, at this point, you just don't know what you don't know.

Edit: On a perhaps-more-encouraging note, if you only forward ports 80 and 443 to that jail, you've greatly limited your exposure--that brings your attack surface down to the web server software itself, PHP, and Nextcloud. You'd still want to investigate securing those, but you don't need to be worried about, for example, FTP vulnerabilities.

I will definitely be implementing SSL, for which I recently came across a tutorial on how to do this. Here is the link, for anyone interested.

I will be looking into doing so, when i'm done struggling with my setup. I used to have a TP-link upstairs and the ASUS RT-N66U downstairs, both configured as router. All my jails were functioning just fine, but since i recently changed the TP-link router to only act as an access point (using this guide) my jails seem to be unable to connect to the "WAN". Both my FreeNAS box and my desktop are wired through the TP-link (access point). I can access the internet on my desktop like before, but it seems like the jails inside freenas are unable to after the change. Any ideas about a possible cause?

I had the same reaction as Jailer. Surprise, sprinkled with a little, "Really?" Having a firewall helps protect you from accidents. I am a full believer in having as much "GOOD" security protection as possible. pfSense is cheap security in the big picture. How often do we hear about a package/protocol is/has been hackable.

I would never run without a firewall, no matter how safe I think my environment is, I would kindly suggest you think about going that way also.

Cheers!

This is why I started the topic in the first place. I am considering to use a Pfsense box in between my router and FreeNAS box. At the moment I am still playing around with the VPN server + client settings on my ASUS RT-N66U router (from which I am currently getting terrible speeds though :S). Eventually I will be switching to a dedicated pfsense box.

 

[NASbox]

I understand there is always a risk and that there are certain ways to minimize this risk. I know for example setting up SSL for public webpages is a must. Can you point me into other directions i should be looking at? Maybe link some tutorials?

I think what you meant to say was SSH (Secure Shell) not SSL.

If you configure pfSense with a VPN server you will be able to connect very safely from wherever you want to as long as you set things up correctly.

I understand what you are trying to say and checked my router last night, which does support setting up an VPN server aswell as a VPN client. It's the "Asus RT-N66U Dark Knight". I will make sure to play around with these settings, before actually switching to a pfsense box.

If you value the security of your system, I wouldn't trust an ASUS router to handle your VPN server. I don't know that router, but I've seen some things (vulnerabilities, back doors) that give me NO confidence in consumer grade routers. Whatever you do DO NOT USE PPTP for your VPN as it is very insecure.

I'd go with a pfSense box. Even IF they are perfect as of date of manufacture, they are NOT adequately patched to keep up with the vulnerabilities that are discovered. pfSense is commercial grade/quality and the guys who maintain it are super sharp and it is the basis of their business which is consulting and installing pfSense in commercial installations.

Connect pfSense to your cable/dsl modem and use it for firewall/VPN (client and server) and use your ASUS as an access point on the LAN side. (That way your neighbours are the only ones that can attack it's poor security-not the whole internet.) You may also be able to use the built in switch for your LAN, but given the complexity of what you want to accomplish I'm pretty sure you will need a managed switch that allows you to set up VLANs and multiple sub-nets.

I will be doing a wide search regarding these subjects and already read allot about most of them. At the moment i a am trying to connect all the dots.

There are a lot of dots to connect. As has been said before, what you are attempting is not simple, but unless you don't care if you get hacked, you need to either do it right or not do it at all. Given that there are armies of bots trolling the internet looking for devices to hack, simple port forwarding is an invitation to disaster in 2017.

The pfSense forum is a good place to start. You may also be able to find a tutorial about setting up OpenVPN on YouTube.

While you might be able to get by without VLANs/Multiple Sub-networks, best practices would be to keep most of your LAN isolated from the remote VPN access. This will mean you need a managed switch and some intermediate-advanced level knowledge about networking/network setup.

I've recently (about six months ago) switched from using open ports for my jails - a very similar list to those you run - protected by pfBlocker and snort.
....
Whilst this is (as the other posters have said) a FreeNAS forum, if you have any specific questions or need specific guidance on how to do something like this in the future, I'll try and help. I would consider it a bit of give-back for the help I've received (directly or by reading others' posts on the forum) over the years! :). The overarching message is that what you want to do can absolutely be done with FreeNAS behind pfSense. I am also infinitely aware that my way may not be the best way or the only way......

@bikefright If you are willing, I would love to connect with you about this (likely best over on the pfSense forum) with the end goal of putting together a tutorial on setting up this type of remote access. It's not easy to find material that is at the right level for an advanced home user. It's either way to simple, or aimed at the enterprise environment and way to complicated.

Best of luck @Yakje!

 

[Yakje]

I think what you meant to say was SSH (Secure Shell) not SSL.

If you configure pfSense with a VPN server you will be able to connect very safely from wherever you want to as long as you set things up correctly.

If you value the security of your system, I wouldn't trust an ASUS router to handle your VPN server. I don't know that router, but I've seen some things (vulnerabilities, back doors) that give me NO confidence in consumer grade routers. Whatever you do DO NOT USE PPTP for your VPN as it is very insecure.

At the moment i did setup a VPN server on the ASUS router using the OpenVPN protocol, this is just for learning purposes though. I plan on adding a pfsense router to the picture, soon after i figured out the basics.

I'd go with a pfSense box. Even IF they are perfect as of date of manufacture, they are NOT adequately patched to keep up with the vulnerabilities that are discovered. pfSense is commercial grade/quality and the guys who maintain it are super sharp and it is the basis of their business which is consulting and installing pfSense in commercial installations.

Any recommendations for a good buy? (will be making a forum post for this at the Pfsense forums aswell) currently looking at the Qotom Q355G4, but i'm not sure if this will be adequate.

Connect pfSense to your cable/dsl modem and use it for firewall/VPN (client and server) and use your ASUS as an access point on the LAN side. (That way your neighbours are the only ones that can attack it's poor security-not the whole internet.) You may also be able to use the built in switch for your LAN, but given the complexity of what you want to accomplish I'm pretty sure you will need a managed switch that allows you to set up VLANs and multiple sub-nets.

Sounds like a solid plan, but does this mean you do not enable DHCP on the pfsense box? At the moment i changed my ISP modem to bridged mode, and my asus router is acting as a DHCP / Firewall and VPN server + client. I was thinking about indeed changing the asus router to act as a AP and let the Pfsense box (whenever i decide to buy one) handle DHCP / Firewall and VPN server + client functionality and keep the modem in bridged mode, or should i just let the modem take care of DHCP and not put it in bridged mode? Not sure what would be wise here.

There are a lot of dots to connect. As has been said before, what you are attempting is not simple, but unless you don't care if you get hacked, you need to either do it right or not do it at all. Given that there are armies of bots trolling the internet looking for devices to hack, simple port forwarding is an invitation to disaster in 2017.

The pfSense forum is a good place to start. You may also be able to find a tutorial about setting up OpenVPN on YouTube.

I am aware it's not a simple task to achieve. But since i set my mind on doing it, i'd rather do it right like you said. Already checking the pfsense forums on regular basis.

While you might be able to get by without VLANs/Multiple Sub-networks, best practices would be to keep most of your LAN isolated from the remote VPN access. This will mean you need a managed switch and some intermediate-advanced level knowledge about networking/network setup.

I have not quite figured out how setting up multiple Vlans/Subnets work, but i am learning everyday and plan on implementing it eventually. If you happen to know about a beginners guide or anything related, that would be appreciated!

@bikefright If you are willing, I would love to connect with you about this (likely best over on the pfSense forum) with the end goal of putting together a tutorial on setting up this type of remote access. It's not easy to find material that is at the right level for an advanced home user. It's either way to simple, or aimed at the enterprise environment and way to complicated.

Best of luck @Yakje!

Thanks @NASbox, i will post any progress in this topic and am looking forward to a decent tutorial regarding this topic, would be awesome! Let me know if there is anything i can do to contribute.

 

[NASbox]

Any recommendations for a good buy? (will be making a forum post for this at the Pfsense forums aswell) currently looking at the Qotom Q355G4, but i'm not sure if this will be adequate.?

From a quick glance it looks more than adequate. The only thing that was not obvious was does it support the crypto instructions? (Maybe i5 does... don't remember the details.) Check the hardware forum and you'll find something good.

Sounds like a solid plan, but does this mean you do not enable DHCP on the pfsense box? At the moment i changed my ISP modem to bridged mode, and my asus router is acting as a DHCP / Firewall and VPN server + client. I was thinking about indeed changing the asus router to act as a AP and let the Pfsense box (whenever i decide to buy one) handle DHCP / Firewall and VPN server + client functionality and keep the modem in bridged mode

That is what I do, and I believe is best practice. I consider an ISP controlled device to be totally untrusted.

I have not quite figured out how setting up multiple Vlans/Subnets work, but i am learning everyday and plan on implementing it eventually. If you happen to know about a beginners guide or anything related, that would be appreciated![/QUOTE ]
It's very hard to find material that is at the right level.... it's either way too simple or way too complex. The reality is that not a lot of home users have anything more than a single subnet connected to an IS switch.

Best of luck.

 

[Xelas]

Not to make this much more complicated, but you may want to look at setting up a reverse-proxy service as well:
https://forums.freenas.org/index.ph...-to-reverse-proxy-your-jails-w-certbot.49876/

That said, unless you REALLY know what you are doing, I would very, very strongly recommend just setting up a VPN server on your network and accessing you stuff via a VPN connection, rather than exposing all of your internal services to the web.
With just VPN services, you just have to be sure that your VPN server is updated, and VPN, by definition, is a security system and is designed to be secure, above all else. It is designed and maintained by programmers who focus on the security aspects as their #1 priority. Can you be certain that whatever webserver Sickbeard uses is totally, 100%, updated and vulnerability-free? What about the web server Sonar uses? What bout Sab? Etc. Any vulnerability in ANY of those services makes your whole system vulnerable.

Even many very visible commercial software packages that have dedicated security vulnerability analysis done have breaches and issues. Sonarr, Sab, etc. are hobby projects that are worked on by a small handful of people in their spare time - I guarantee you that services are not secure enough for unfettered internet exposure. The only one I may consider is NextCloud/OwnCloud, but even that has to be installed PROPERLY, configured correctly, and updated religiously to be really secure.

I'm not a network SECURITY guy, but I do networking. Opening up all of those services to the internet would TERRIFY me. TLS encryption is just that - it's encryption, which is almost completely unrelated to whether a site is actually updated and whether it is actually locked down properly and secure. All it does is encrypt the information sent between you and the site.

 

[NASbox]

Not to make this much more complicated, but you may want to look at setting up a reverse-proxy service as well:
https://forums.freenas.org/index.ph...-to-reverse-proxy-your-jails-w-certbot.49876/

That said, unless you REALLY know what you are doing, I would very, very strongly recommend just setting up a VPN server on your network and accessing you stuff via a VPN connection, rather than exposing all of your internal services to the web.
With just VPN services, you just have to be sure that your VPN server is updated, and VPN, by definition, is a security system and is designed to be secure, above all else. It is designed and maintained by programmers who focus on the security aspects as their #1 priority. Can you be certain that whatever webserver Sickbeard uses is totally, 100%, updated and vulnerability-free? What about the web server Sonar uses? What bout Sab? Etc. Any vulnerability in ANY of those services makes your whole system vulnerable.

Even many very visible commercial software packages that have dedicated security vulnerability analysis done have breaches and issues. Sonarr, Sab, etc. are hobby projects that are worked on by a small handful of people in their spare time - I guarantee you that services are not secure enough for unfettered internet exposure. The only one I may consider is NextCloud/OwnCloud, but even that has to be installed PROPERLY, configured correctly, and updated religiously to be really secure.

I'm not a network SECURITY guy, but I do networking. Opening up all of those services to the internet would TERRIFY me. TLS encryption is just that - it's encryption, which is almost completely unrelated to whether a site is actually updated and whether it is actually locked down properly and secure. All it does is encrypt the information sent between you and the site.

Excellent advice!

And I'd add to that: Use strong keys on the VPN, keep the network segregated so that the most important/sensitive material is not accessible remotely.

 

[Xelas]

Thanks, NASBox. Forgot to to add - in addition to Nextcloud, Plex is a good option for exposing your media for access to the internet, since it is specifically designed for that, and PLex Inc. has the resources to make the security strong enough. Plex has also been on the market for long enough with no incidences that i know of, so I consider them vetted.