pfSense
pfSense
Hi Philip and Team!
Do you happen to have tips and tweak for pfSense?
What would be a good set up? Which ports do I have to keep open under "small office home office condition"?
I don't do torrenting but I do lots of multi threaded https download on large files using Internet download manager.
I also do a lot of streaming from different sites.
We use wireguard and open connect in our client side as well
Thanks
Do you happen to have tips and tweak for pfSense?
What would be a good set up? Which ports do I have to keep open under "small office home office condition"?
I don't do torrenting but I do lots of multi threaded https download on large files using Internet download manager.
I also do a lot of streaming from different sites.
We use wireguard and open connect in our client side as well
Thanks
Hi Mark,
It depends on the number of users pretty much, and how capable the appliance is to run all of the pfsense features. If the device does not have a fast CPU and plenty of RAM (or if you don't have many users at the same time) I would turn off some of the more fancy features like QoS.
I would try without opening any ports, https transfers should be going through the standard port 443 and some temporary high ports that you don't need to keep open. If some software you use requires running a server on your end that's where you have to start opening ports usually.
It depends on the number of users pretty much, and how capable the appliance is to run all of the pfsense features. If the device does not have a fast CPU and plenty of RAM (or if you don't have many users at the same time) I would turn off some of the more fancy features like QoS.
I would try without opening any ports, https transfers should be going through the standard port 443 and some temporary high ports that you don't need to keep open. If some software you use requires running a server on your end that's where you have to start opening ports usually.
Hey Philip
This is my set up:
https://www.gigabyte.com/Motherboard/B4 ... -rev-10#kf
16GB RAM
128GB SSD
I have QOS and suricata running
I have modified the Turn tables to match tcp optimizer's
Under Windows 10 OS which ports are needed to be open
This is my set up:
https://www.gigabyte.com/Motherboard/B4 ... -rev-10#kf
16GB RAM
128GB SSD
I have QOS and suricata running
I have modified the Turn tables to match tcp optimizer's
Under Windows 10 OS which ports are needed to be open
Hardware will not be a limitation with that setup, if anything it might be an overkill for a soho setup - you can run whatever services you want pretty much.
You only need to open ports if you are running servers and need to connect to your network from a remote location (Remote Desktop, VNC server, SSH, etc.) Otherwise, for most outgoing connections the ports should be dynamically allocated and you don't have to open them at the firewall.
You only need to open ports if you are running servers and need to connect to your network from a remote location (Remote Desktop, VNC server, SSH, etc.) Otherwise, for most outgoing connections the ports should be dynamically allocated and you don't have to open them at the firewall.
Linux is user friendly, it's just picky about its friends...
Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits). I also eat whatever crayons are put in front of me.
๑۩۞۩๑
Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits). I also eat whatever crayons are put in front of me.
๑۩۞۩๑
Philip would you agree on the ff default settings in pfsense:
TCP First 3600
TCP Opening 900
TCP Established 432000
TCP Closing 3600
TCP FIN Wait 600
TCP Closed 180
TCP Tsdiff 60
UDP First 300
UDP Single 150
UDP Multiple 900
ICMP First 20
ICMP Error 10
Other First 60
Other Single 30
Other Multiple 60
TCP First 3600
TCP Opening 900
TCP Established 432000
TCP Closing 3600
TCP FIN Wait 600
TCP Closed 180
TCP Tsdiff 60
UDP First 300
UDP Single 150
UDP Multiple 900
ICMP First 20
ICMP Error 10
Other First 60
Other Single 30
Other Multiple 60
I do not use pfSense, but I think that list refers to the amount of time those different protocol states remain open before timing out.
All those timeouts seem to be a bit too long/conservative for my taste (assuming they are in seconds)... I would definitely shorten the TCP ones... Something like:
TCP First 120
TCP Opening 60
TCP Established 86400
TCP Closing 600
TCP FIN Wait 45
TCP Closed 90
TCP Tsdiff 30
Otherwise, it will keep all those connections open too long, consuming memory and resources unnecessarily.
All those timeouts seem to be a bit too long/conservative for my taste (assuming they are in seconds)... I would definitely shorten the TCP ones... Something like:
TCP First 120
TCP Opening 60
TCP Established 86400
TCP Closing 600
TCP FIN Wait 45
TCP Closed 90
TCP Tsdiff 30
Otherwise, it will keep all those connections open too long, consuming memory and resources unnecessarily.
Linux is user friendly, it's just picky about its friends...
Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits). I also eat whatever crayons are put in front of me.
๑۩۞۩๑
Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits). I also eat whatever crayons are put in front of me.
๑۩۞۩๑
In general, it is safe to close all inbound ports unless you are running some type of server application that needs people to connect to you.
Blocking new incoming connections is safe.
When your local devices reach out onto the internet, they establish a connection with a remote server and the firewall generally knows to allow incoming traffic back to that device on certain ports. If some application/game has an issue with that, you may have to read into what ports it requires open/forwarded and adjust (port-forward) accordingly.
Blocking new incoming connections is safe.
When your local devices reach out onto the internet, they establish a connection with a remote server and the firewall generally knows to allow incoming traffic back to that device on certain ports. If some application/game has an issue with that, you may have to read into what ports it requires open/forwarded and adjust (port-forward) accordingly.