How to secure pfSense when behind a public IP with open ports? Plus some VLAN doubts.

[The Dark Knight]

So I recently built a home server running Windows 10 Pro and Hyper-V. I initially went with OPNsense, but have now switched to pfSense. Documentation for OPNsense is pretty thin, and so are guides online. Whereas pfSense information is abundant. So anyway, I've got it up and running in Hyper-V, and all my devices are getting internet and LAN access as well as able to push Gig.

 

Now the thing is, I'm on Carrier Grade NAT. I learned that this is what it is called recently while I have been tearing my hair out to get stuff to work for external access. Turns out, I cannot. Well, not in a straight forward way at least. Some guides do mention using a VPS running a VPN, or SSH tunneling, but my networking knowledge is limited, so don't want to go down those roads. So since I have a double NAT (and I cannot put the ISP hardware in bridge mode like many guides online suggest), my only option is to pay my ISP for a public IP. Which I intend to do in the near future.

 

So how do I secure my network for this? I want to be able to run OpenVPN, NextCloud, AirSonic and maybe Plex with external access for all. I don't intend to host my website from home as it is too risky. That will remain on professional hosting. I have professional email with GSuite, and want that to continue as well. Can I point my domain to my home server for Plex, NexCloud etc, while still having externally hosted website and email? Ideally I would like to have plex.mydomain.com, nextcloud.mydomain.com, etc.


I also plan to buy a managed switch next year sometime for segregating traffic using VLAN's. But I have some doubts regarding this. I am totally new to this. How do I segregate wireless traffic? Will I need to buy new Access Points? I've seen hardware from Ubiquiti highly recommended online by many people, but they are bloody expensive here! They start at the equivalent of $150, which is way too much for me at least. I would ideally like to have some wireless clients with unrestricted access and some with only internet and not LAN access. For wired, I think I understand how VLAN's work. I have to create a VLAN, assign it to a port on the switch, and then connect whatever device I want on that port, which will get the alternate IP address specified for that VLAN.

[Kelxin]

Since you will only have one public IP address, all that you would need is one sub-domain, something like home.yourdomain.com, pointing to your home IP address.   Everything else from there is split out via port forwarding to the correct IP addresses within your network.  With a managed switch and a wireless AP that supports VLANs, you can segregate traffic easily, but you can also segregate traffic by IP address firewall rules and source route firewall rules.

 

Peplink makes some great wireless AC access points that support vlans and multiple SSID's:  https://www.amazon.com/Peplink-Pepwave-One-mini-APO-AC-MINI/dp/B00PJSGG1K/ref=sr_1_fkmr0_1?ie=UTF8&qid=1546256074&sr=8-1-fkmr0&keywords=peplink+wireless+ac

 

I would definitely recommend reading up and learning more about port forwarding, firewall rules and vlans as it can get quite complicated very quickly depending on how you do your setup.

 

 

[The Dark Knight]

Ah crap, so I do ideally need an AP that supports VLAN's. That Peplink one you linked to is also quite expensive actually. Almost as much as a Ubiquiti. Also, don't think it is available in India. Importing from abroad is not an option as the shipping is too high. Customs may slap on duty as well. Segregating through firewall...not very familiar with it. My networking isn't great, but do want to learn! Also, totally new to the whole running your own router scene. I've been using an off the shelf router all these years.

 

Ok, but I don't really see the benefit of home.mydomain.com as I'm not running a website. Correct me if I'm wrong. I ideally want to be able to have NextCloud, Plex etc as separate domains so that I can just hit them up as and when from anywhere. Looks more impressive too! 

 

Yup, I'm still reading up on all this. Not going to invest in hardware without knowing much more. As of now my setup is quite simple, although with quite a lot of devices. But yes, it is going to get complicated once I have all these services up and running.

[The Dark Knight]

It just struck me...couldn't I plug in a standard WiFi AP into a VLAN tagged port on a managed switch and have a segregated network that way? Of course, that is one additional AP just for restricted access.

[The Dark Knight]

What are your thoughts on this switch? I know that Cisco is very highly regarded, just wanted to know about this specific model.

 

https://www.amazon.in/Cisco-SG350-28-K9-28-Port-Managed-Switch/dp/B01H33XA26/ref=sr_1_8?ie=UTF8&qid=1546261772&sr=8-8&keywords=gigabit+managed+switch

[+BudMan MVC]

I have the previous model the SG300 from cisco, 28 port and 10 port model love them..  So yeah that would be a good choice for a switch.. While its not the full IOS command listing.. If you know cisco then you will have no issues, and the gui from the 300's are nice - I have to assume its the same gui interface on the 350's

 

If you use different AP for your different vlan/networks then sure your AP does not need to support vlans.  But take a look at the unifi line very reasonable pricing with full feature sets, POE and support vlans... You can even do dynamically assigned vlans to your clients, etc. etc..

 

Once you get yourself exposed to public, ie not behind a CGN... Oh yeah that sucks!!  I allow friends and family to use my plex server, its as simple as forwarding the port.. But I limit it to their source IPs - so only they can directly access my plex.. If they are not on their IPs then they have to use the plex indirect mode.. Plex doesn't really need port forwards inbound to share, but if you don't your limited of bouncing your traffic off the plex servers which limit bandwdith.

 

As to openvpn - its pretty freaking secure   So no issues with exposing that to be honest.. Use TLS auth and encryption as well and will keep some noise out of the logs.

 

Keep in mind who is exactly going to be accessing this stuff?  If just you and or your devices - you can always just vpn in then you can access your services you want, nextcloud, plex, etc. All through the secure vpn..  For example if I want to stream music/video from my plex server while on the road I just vpn in to my network and then not doing indirect off plex.

 

But yeah its a good idea to isolate all your iot stuff on their own vlans, and sure anything that is accessed from the public should be isolated in different vlan than your trusted stuff.

 

Once you get your switch and you have questions just ask... Glad to see you wised up about that distro that will not be named by me

[The Dark Knight]

Good to hear BudMan! Access to all this is mostly going to be me and wife. Kids and parents will be just Plex. On a fast, but capped connection, so not going to be giving Plex access to friends, except maybe for a NextCloud share for ocassionally exchanging files. NextCloud will also be used for exchanging files with clients for work.

 

Great, will just use a separate regular AP then! Ubiquiti is way too expensive here like I mentioned. Equivalent of $150 for a Lite AP! Whereas a regualr 802.11 ac device is less than $20. Sure, it doesn't do gig, but don't need anyway, as devices connected to them will be wireless. I've already got 2 AP's that will keep serving unrestricted in the whole house. Will need just 2 more for restricted WiFi. Will also use the restricted traffic AP's with Captive Portal for guests.

 

Question. If you can VPN into your home network, why do you use Plex? Couldn't you just play files directly from a file explorer? Unless your Plex server transcodes to save bandwidth.

 

Also, I read online that these Cisco switches are EOL. That's one reason they are cheaper than other switches. So is this something I need to be concerned about? From what I've read, companies have moved on from them for various reasons, but mine is strictly home usage. And a lot of people on Reddit say that they are still fantastic for home use. But I don't intend to upgrade this switch for the next like 10 years. 10 Gig LAN is still ###### expensive to implement in a home environment. Plus, I personally don't foresee myself needing it for many years to come. So this switch should be fine right?

[+BudMan MVC]

The 350 are not end of life.. Where did you read that?

 

I stream from plex because it gives me a library interface.. Vs a folder of files in it..

[The Dark Knight]

3 hours ago, BudMan said:

The 350 are not end of life.. Where did you read that?

 

I stream from plex because it gives me a library interface.. Vs a folder of files in it..

I think it was on Reddit in r/homelab. Or maybe somewhere else. Looks like either I read it wrong or the person saying it was wrong. The Cisco website says this model was released in 2016. So looks like I'm good then! 

I've put in a request with my ISP for a static IP. These guys have become extra smart, now want to charge me for it on a subscription as opposed to a one-time payment just a couple months back when I had last asked them!