Pfsense router/setup advice

Status
Not open for further replies.

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
Now I have my FreeNAS box pretty much setup, I want to be able to access it remotely in a secure manner.
Currently I am running: Nextcloud, Plex, Plexpy, Sabnzbd, Sonarr, Radarr, Headphones, NzbHydra, Jackett & Organizr as generic jails.

My idea is to setup a secure VPN connection using Pfsense. I have no experience using Pfsense whatsoever, so any advice is highly appreciated!

My current Nas setup:
OS:
FreeNAS 11.0-U4
CPU: Intel Celeron G3920 Boxed
MOBO: Gigabyte GA-X150M-PRO ECC
MEMORY: Kingston ValueRAM KVR21E15D8/8HA
PSU: Seasonic G-series 360 watt
HDD (3x): WD Red WD30EFRX, 3TB
USB (for OS) : Sandisk Ultra Fit 16GB Zwart
CASE: Fractal Design Define Mini

Pfsense router requirements:
  • Act as a VPN client (OpenVPN + PIA)
  • Act as a VPN server
  • Act as a Firewall
  • Act as a proxy?
  • Act as a dynamic DNS server?
  • Setup multiple VLans: Internal (FreeNAS), Family, Guests, etc.
  • Be able to handle Gigabit speeds
  • Want to be able to run the latest Pfsense version, as well as being future proof for atleast a couple of years
First off i have to select what hardware to use. I know about the possibility to install Pfsense in a VM on my NAS, but feel more secure seperating my VPN / Firewall from my files system a.k.a NAS. I have read a few topics about DIY Pfsense router builds (which is definitely is an option), but feel like the: Qotom Q355G4 will be able to do everything I require for a decent price and with the ease of just installing Pfsense and having a compact system. Feel free to advice me otherwise ;)

I am not exactly sure what and what not to route through my "upcoming" VPN client yet, but was primarily thinking about: Plex, Nextcloud (When trying to access from a remote location) & Transmission (Internally while downloading)
Might eventually route all my traffic through the VPN, not sure if this is a good idea though.

About "Transmission", I still need to setup a Transmission jail inside FreeNAS, but since i don't have any VPN setup atm I wanted to wait. I noticed this guide: FreeNAS 11 Jails mentioned installing transmission together with OpenVPN + IPFW Killswitch. Can I just omit installing OpenVPN + IPFW Killswitch and only install Transmission in a generic jail and route the traffic for transmission through the "upcoming" Pfsense VPN client or is this not the right approach?

Recently I also bought a domain, which I would like to use to access my Plex and Nextcloud remotely, for example: privatecloud.com for nextcloud and privatecloud.com/plex for Plex. Not sure yet what would be the best approach as to setting this up? Do I need to create an Nginx jail inside FreeNAS for reverse proxy for example or could I also take care of this aspect within Pfsense?

I would love to hear anyone's take on this matter, my main goal is to be able to access my data from anywhere in a secure and mostly "anonymous" way, also be able to stream plex related content from anywhere in the world in a secure way.
 
Last edited by a moderator:

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,994
So you want to place pfSense on FreeNAS? I'm not sure that is a good idea at all and the last time I saw someone ask to do this the kernel support was not present to handle this. If you want to run pfSense then I'd recommend a standalone machine to handle that, even an older machine will generally work so long as you have two NIC ports.

So your current router does not support VPN? Many do now days.
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
Thanks for the reply, I however question if you actually read my post? :p I thought I made it quite clear that i do NOT plan on installing pfsense on my FreeNAS box, or was I really that unclear? Don't mean to be rude :rolleyes:

I guess my current router may support VPN, but from what I read in other topics, it will never be able to handle decent/gigabit speeds. Besides that I also like the Firewall aspect of Pfsense.
 
Last edited by a moderator:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
There are a number of us here who are using pfSense, but I'm pretty sure the pfSense forums would be a better place for your questions. But if you need secure access to your LAN resources from outside the LAN, the router needs to act as a VPN server, not just as a client.
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
There are a number of us here who are using pfSense, but I'm pretty sure the pfSense forums would be a better place for your questions. But if you need secure access to your LAN resources from outside the LAN, the router needs to act as a VPN server, not just as a client.

That might be a good idea, I will start a thread on there aswell.

About the "VPN server" part, is Pfsense able to act as a VPN server and client at the same time or would it be better to seperate the two? I thought if i subscribe to PIA (private internet access) and configure it inside Openvpn within Pfsense. this would handle the "server part" aswell as the client part. But it seems like i'm already missing something?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
is Pfsense able to act as a VPN server and client at the same time
Yes.
I thought if i subscribe to PIA (private internet access) and configure it inside Openvpn within Pfsense. this would handle the "server part" aswell as the client part.
No. Your PIA subscription means that traffic from your LAN to the Internet goes through an encrypted tunnel to their servers, which which it goes unencrypted to the rest of the Internet. That may or may not provide you with some degree of privacy if you're doing things that you don't want to be known. But it doesn't do anything to let you connect to your LAN from outside.
But if all you want to be able to do is stream Plex, you don't need a VPN for that at all. Forward port 32400 to your Plex jail and call it a day.
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
Yes.

No. Your PIA subscription means that traffic from your LAN to the Internet goes through an encrypted tunnel to their servers, which which it goes unencrypted to the rest of the Internet. That may or may not provide you with some degree of privacy if you're doing things that you don't want to be known. But it doesn't do anything to let you connect to your LAN from outside.
But if all you want to be able to do is stream Plex, you don't need a VPN for that at all. Forward port 32400 to your Plex jail and call it a day.

That makes sense, i currently already have the plex port forwarded. But is there no security risk attached to simply opening up these ports? Could i do the same for example with the nextcloud and other jail ports without comprimising my application/data?

I would however also like to be able to remotely access some of my datasets and want to use it to get around geo blocking, so i can watch live streaming content from certain channels that only allows you to watch the content in some specific areas.
 

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,994
Thanks for the reply, i however question if you actually read my post? :p I thought i made it quite clear that i do NOT plan on installing pfsense on my freenas box, or was i rlly that unclear? Don't mean to be rude :rolleyes:
You are not being rude at all and I have thick skin so I don't offend easily.

I asked that question becasue you are asking about pfSense in a FreeNAS forum. I was debating on if I should move this to the Off-Topic section of the forums.

I guess my current router may support VPN, but from what i read in other topics, it will never be able to handle decent/gigabit speeds. Besides that i also like the Firewall aspect of Pfsense.
While I'm all for you creating a firewall like pfSense, I believe your skill level is fairly low at this point in time and I was thinking it may be much easier to use the VPN in the router thatn learning all the details of pfSense. Setting up basic pfSense isn't hard but it gets more complicated when you start doing more with it. I use a different firewall and even the initial setup was not very easy for a novice. And as @danb35 said, just use port forwarding if that gets you to the finish line.

I would however also like to be able to remotely access some of my datasets and want to use it to get around geo blocking, so i can watch live streaming content from certain channels that only allows you to watch the content in some specific areas.
If you do need VPN, pfSense can do that. I have to ways to get to my data, my firewall has VPN and I can use that and I also have a Windows 7 Pro machine at home and I use RDP to access it, not over VPN. It all works fine either way I go. With RDP I can copy and paste very easily. It's just something to think about.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
I would however also like to be able to remotely access some of my datasets and want to use it to get around geo blocking
These are two very different requirements. The first requires you run a VPN server, the second requires use of a VPN client to a third-party service (like PIA) which can make you pretend to be somewhere else. pfSense can handle both, but they're different things.
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
You are not being rude at all and I have thick skin so I don't offend easily.

I asked that question becasue you are asking about pfSense in a FreeNAS forum. I was debating on if I should move this to the Off-Topic section of the forums.

I am glad you see it that way and totally understand ur debate :). I guess it is kind of off-topic, although there are some questions related to FreeNAS aswell. I was hoping to trigger some FreeNAS users, which have already or are currently trying to achieve the same thing.

While I'm all for you creating a firewall like pfSense, I believe your skill level is fairly low at this point in time and I was thinking it may be much easier to use the VPN in the router thatn learning all the details of pfSense. Setting up basic pfSense isn't hard but it gets more complicated when you start doing more with it. I use a different firewall and even the initial setup was not very easy for a novice. And as @danb35 said, just use port forwarding if that gets you to the finish line.

You might be right about this, i am however eager to learn and most of the time don't tend to take the "easy road" Also i don't like the fact, most "consumer" router firmware is not regularly maintained and does not possess the hardware specs to fulfill the needs i might have in the future. Besides that i like to be as "save"/"anonymous" as possible in the digital landscape we are currently living in. I might first try to establish VPN connection on my current router, just for learning purposes though.

To get back to opening ports, would for example simply opening the nextcloud ports to the world be without any risk?

If you do need VPN, pfSense can do that. I have to ways to get to my data, my firewall has VPN and I can use that and I also have a Windows 7 Pro machine at home and I use RDP to access it, not over VPN. It all works fine either way I go. With RDP I can copy and paste very easily. It's just something to think about.

My desktop machine does run on Windows 10 Pro, it is however not turned on 24/7 like my FreeNAS system and i don't intend to either. So using RDP is not rlly an option for me at the moment.

Another issue i am currently struggeling with, is getting my jails like Nextcould / Plex linked to my domain (for example) privatecloud.com for nextcloud and privatecloud.com/plex for plex as i also addressed in my start post. I am not rlly sure how to tackle this? Is this something i should configure in a Nginx jail?, can i configure it in a Pfsense box? or do i need something completely different? What would be wise?
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
These are two very different requirements. The first requires you run a VPN server, the second requires use of a VPN client to a third-party service (like PIA) which can make you pretend to be somewhere else. pfSense can handle both, but they're different things.

Thanks for explaining! This made me understand the concept allot better :) With my future plans in mind, i am leaning towards running a VPN server as well as a VPN client. Which makes a dedicated Pfsense router a good contender i guess
 
Last edited by a moderator:

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,977
would for example simply opening the nextcloud ports to the world be without any risk?
Any time you open a port there is some risk. You mitigate that risk by hardening your installation against most common attacks. But that is a subject you will have to research yourself as it's way beyond the scope of this forum.
 

farmerpling2

Patron
Joined
Mar 20, 2017
Messages
224
pfSense is best used by more advanced users, IMHO. I have run it for years and it works well. Lots of knobs, but with knobs, it requires extra time to understand how they work.

I would not recommend to someone as their first firewall. Of course there is the other side that you have jailed a bunch of packages, so maybe your technical skills can handle it.

pfSense can do everything you are asking of it and a lot more.
 
Last edited by a moderator:

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,994
Another issue i am currently struggeling with, is getting my jails like Nextcould / Plex linked to my domain (for example) privatecloud.com for nextcloud and privatecloud.com/plex for plex as i also addressed in my start post. I am not rlly sure how to tackle this?
This isn't typically too difficult to do but your domain name service (where you bought your URL) may have tools to assist with that, and if not then your firewall might be able to assist. It's not easy to get it to work but once you have it figured out then all works great. This stuff is above and beyond FreeNAS and while you are tossing in the word FreeNAS periodically most of your questions have an answer that are not FreeNAS at all.

I'd recommend that you do a search on the internet on how to setup firewall routing, specifically port forwarding and SFTP.

Did you know that FreeNAS has a SFTP server built in. This means that you could access your files remotely that are on the server. All you need to do is set it up and open up the SFTP port on your routers firewall. Super simple. If you are looking at using "http://my.ipaddress.com/Thanksgiving" then "http://my.ipaddress.com" needs an opern port 80 to a web server, the "/Thanksgiving" is a webpage on that server. This is all basic stuff but when it's new to you it can get overwhelming.
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
Any time you open a port there is some risk. You mitigate that risk by hardening your installation against most common attacks. But that is a subject you will have to research yourself as it's way beyond the scope of this forum.

I understand there is always a risk and that there are certain ways to minimize this risk. I know for example setting up SSL for public webpages is a must. Can you point me into other directions i should be looking at? Maybe link some tutorials?

pfSense is best used by more advanced users, IMHO. I have run it for years and it works well. Lots of knobs, but with knobs, it requires extra time to understand how they work.

I would not rceommend to someone as their first firewall. Of course there is the other side that you have jailed a bunch of packages, so maybe your technical skills can handle it.

pfSense can do everything you are aksing of it and a lot more.

I understand what you are trying to say and checked my router last night, which does support setting up an VPN server aswell as a VPN client. It's the "Asus RT-N66U Dark Knight". I will make sure to play around with these settings, before actually switching to a pfsense box.

This isn't typically too difficult to do but your domain name service (where you bought your URL) may have tools to assist with that, and if not then your firewall might be able to assist. It's not easy to get it to work but once you have it figured out then all works great. This stuff is above and beyond FreeNAS and while you are tossing in the word FreeNAS periodically most of your questions have an answer that are not FreeNAS at all.

I'd recommend that you do a search on the internet on how to setup firewall routing, specifically port forwarding and SFTP.

I will be doing a wide search regarding these subjects and already read allot about most of them. At the moment i a am trying to connect all the dots. I am aware most of the questions are not directly related to FreeNAS, however i do think most of the FreeNAS users will at some point be asking similar questions. The first place they will be searching are the FreeNAS forums. Feel free to move this thread to Off-topic section though ;)

Did you know that FreeNAS has a SFTP server built in. This means that you could access your files remotely that are on the server. All you need to do is set it up and open up the SFTP port on your routers firewall. Super simple. If you are looking at using "http://my.ipaddress.com/Thanksgiving" then "http://my.ipaddress.com" needs an opern port 80 to a web server, the "/Thanksgiving" is a webpage on that server. This is all basic stuff but when it's new to you it can get overwhelming.

Ye i am actually already using this feature, which i think is awesome!
I guess i just have to start trying to get it all setup one by one, will ofc keep you all updated on my progress!
 

bikefright

Cadet
Joined
Jul 4, 2016
Messages
5
I've recently (about six months ago) switched from using open ports for my jails - a very similar list to those you run - protected by pfBlocker and snort.

I now use a bunch of OpenVPN servers (I have 2 x fibre and 1 x ADSL incoming) on my pfSense to handle remote connection from outside the home. I also use a VPN client from a well known provider to route some traffic from my LAN. I retired pfBlocker and snort once I was comfortable with the functionality of OpenVPN, but I retained the rules and NAT port forwards just in case :smile:. I was really only using these two packages to protect my open ports.

pfSense provides a very useful OpenVPN client export tool which, once you've correctly configured your OpenVPN server, will allow you to export the configuration information needed for whatever platform (android/iOS/windows etc.) you wish to use to connect from.

In terms of restricting LAN access for a connected OpenVPN client, this is easily achieved using the "ipv4 local networks" setting against your OpenVPN server to specify the specific jail IPs (and/or other local LAN IPs) that you wish to be accessible from your OpenVPN client.

For example, I use OwnCloud for hoarding ebooks and magazines, which I like to sit and read when I'm out and about. OwnCloud is set to the WebDAV address on my LAN of my OwnCloud jail so when I go out, I fire up my OpenVPN client on my laptop or iPad etc. pull an .epub or .pdf down to my local device and then read it at my leisure. works a treat!

I also have the relevant android apps like nzb360 and showsrage configured in a similar way using the LAN addresses of my jails in the server setup field within the apps.

With respect to domain/DNS - I have tried many solutions over the years and have settled on a keep-it-simple-stupid configuration that revolves around a bunch of free dynamic DNS providers. These are configured on the pfSense and provide a mechanism solely for me to reliably resolve my OpenVPN servers when I am out and about and want to fire up the relevant OpenVPN client. I still own three domains, but no longer have them configured.

Whilst this is (as the other posters have said) a FreeNAS forum, if you have any specific questions or need specific guidance on how to do something like this in the future, I'll try and help. I would consider it a bit of give-back for the help I've received (directly or by reading others' posts on the forum) over the years! :smile:. The overarching message is that what you want to do can absolutely be done with FreeNAS behind pfSense. I am also infinitely aware that my way may not be the best way or the only way......
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,977
I understand there is always a risk and that there are certain ways to minimize this risk. I know for example setting up SSL for public webpages is a must.
SSL is not security against attack, it's just encryption.
 

Yakje

Explorer
Joined
Feb 8, 2017
Messages
82
I've recently (about six months ago) switched from using open ports for my jails - a very similar list to those you run - protected by pfBlocker and snort.

I now use a bunch of OpenVPN servers (I have 2 x fibre and 1 x ADSL incoming) on my pfSense to handle remote connection from outside the home. I also use a VPN client from a well known provider to route some traffic from my LAN. I retired pfBlocker and snort once I was comfortable with the functionality of OpenVPN, but I retained the rules and NAT port forwards just in case :). I was really only using these two packages to protect my open ports.

pfSense provides a very useful OpenVPN client export tool which, once you've correctly configured your OpenVPN server, will allow you to export the configuration information needed for whatever platform (android/iOS/windows etc.) you wish to use to connect from.

In terms of restricting LAN access for a connected OpenVPN client, this is easily achieved using the "ipv4 local networks" setting against your OpenVPN server to specify the specific jail IPs (and/or other local LAN IPs) that you wish to be accessible from your OpenVPN client.

For example, I use OwnCloud for hoarding ebooks and magazines, which I like to sit and read when I'm out and about. OwnCloud is set to the WebDAV address on my LAN of my OwnCloud jail so when I go out, I fire up my OpenVPN client on my laptop or iPad etc. pull an .epub or .pdf down to my local device and then read it at my leisure. works a treat!

I also have the relevant android apps like nzb360 and showsrage configured in a similar way using the LAN addresses of my jails in the server setup field within the apps.

With respect to domain/DNS - I have tried many solutions over the years and have settled on a keep-it-simple-stupid configuration that revolves around a bunch of free dynamic DNS providers. These are configured on the pfSense and provide a mechanism solely for me to reliably resolve my OpenVPN servers when I am out and about and want to fire up the relevant OpenVPN client. I still own three domains, but no longer have them configured.

Whilst this is (as the other posters have said) a FreeNAS forum, if you have any specific questions or need specific guidance on how to do something like this in the future, I'll try and help. I would consider it a bit of give-back for the help I've received (directly or by reading others' posts on the forum) over the years! :). The overarching message is that what you want to do can absolutely be done with FreeNAS behind pfSense. I am also infinitely aware that my way may not be the best way or the only way......

Thanks for giving me a sneak peak in ur journey! This indeed sounds like a similar experience. I don't have any experience when it comes to pfBlocker/snort and will probably not be using those, since i will go straight for the VPN option. Although buying a Pfsense box does still sound like a solid option, i will first be experimenting with the VPN options available in my current router. When i feel familiair using this functionality, i will probably switch to a dedicated Pfsense box.

Instead of Owncloud, i will be using Nextcloud (moslty for school/work/private related purposes). This is one of the main reasons i would like to setup remote access.

I just downloaded the nzb360 , which seems like a pretty solid app. Will definitely be looking into using this aswell! :)

I still don't like the idea of having a domain like blablabla.dyndns.nl, instead of just blablabla.nl. But i guess only time can tell whether i will eventually settle for ur solution aswell :p

I will try to post all the findings of my bumpy ride in this topic, so others might profit from it aswell. So i guess it's best to keep an eye out for this thread and reply whenever you feel like you can contribute, like you just did :)

SSL is not security against attack, it's just encryption.

I am not sure what your intention is, but posts like these are not rlly of any help tbh. Ofcourse it's always good to criticize certain statement, but besides that pointing me towards certain techniques/recourses (which i asked for in my post) you consider a must or experienced urself by trial/error would actually be helpfull for me/others.
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,829
FWIW, I have been very happy with passwordless SSH connections that tunnel whatever I want. The tunnels protect the payload, and keys that are more than 1000 bits long are hard to crack. Combine passwordless approaches with auto-blocking (i.e. longer and longer delays between login attempts) and its pretty secure.

One downside is that you have to know which TCP/IP ports to forward. Another is that some places block SSH connections.

That said, if I were to make a FreeNAS accessible by the internet, it would be considered a burner, i.e. not the primary one. I'd keep it separate from the home LAN.
 
Last edited:

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,977
I am not sure what your intention is, but posts like these are not rlly of any help tbh. Ofcourse it's always good to criticize certain statement, but besides that pointing me towards certain techniques/recourses (which i asked for in my post) you consider a must or experienced urself by trial/error would actually be helpfull for me/others.
Like I stated before what you are asking is beyond the scope of this forum. Hardening an internet facing web stack or application is not just a "tutorial" someone can point you to. You'll have to research that on your own and learn for yourself how to do that.

My statements were not meant to offend but they are still true. As I said SSL is not "security" it's just an encrypted connection. SSL alone does not prevent bad actors from attacking and owning any web facing application you may have.
 
Status
Not open for further replies.
Top