Announcement

**logbuilder** · September 15, 2017, 12:50 PM

Originally posted by Kerat View Post

This is interesting. Well, I'm not sure that JSON calls work with PFSense. You could however setup a script to shell into your PFsense system and make changes there. What are you planning on setting up while away?

I'm on a metered satellite connection so bandwidth is precious. When I'm away nothing but HS3/BlueIris should be talking externally. Its not critical. I just figured I'd ask and maybe someone had already figured it out.

**Pete** · September 15, 2017, 01:03 PM

You can remote control PFSense via the command line. It is just PHP stuff.

Have a look here:

Using the PHP pfSense Shell

/* to disable the firewall filter */
$config['system']['disablefilter'] = true

This could be done via a windows script triggered whenever.

It would be a one liner script where you would SSH to your PFSense box and then run the command above.

Thinking though it would be easier just to disable all ports on the firewall and utilize VPN to your network.

What phone OS and Laptop OS are you using?

**Kerat** · September 15, 2017, 01:05 PM

Originally posted by logbuilder View Post

I'm on a metered satellite connection so bandwidth is precious. When I'm away nothing but HS3/BlueIris should be talking externally. Its not critical. I just figured I'd ask and maybe someone had already figured it out.

Interesting. Conceptually there is a few ways to do what you want. We would need to work out how. Aside from putting a aeotech power switch on your modem (which would turn off all internet access) we could ip DHCP reserved your IP address to the server and create some firewall rules that can be turned on or off. What ip subnet are you using for your LAN? From what I remember firewall rules are placed in order and are handled exactly that way.

To do this
A. either DHCP assign an IP address to your server.
B. break out your firewall rule for internet access to:
LAN to access Internet into 2 parts.
1. HS3/NVR IP address to Internet
2. LAN subnet to Internet.

C. We may need to create a deny all as the final rule.
3. Deny access to Internet.

D. Then we need to work out how to disable/enable rule 2 from shell.
E. Create batch or bash script to disable rule 2 that HS3 can call.
F. Create batch or bash script to enable rule 2 that HS3 can call.

Sent from my iPhone using Tapatalk

**Kerat** · September 15, 2017, 01:06 PM

PFSense Firewall Group purchase interest

Originally posted by Pete View Post

You can remote control PFSense via the command line. It is just PHP stuff.

Have a look here:

Using the PHP pfSense Shell

/* to disable the firewall filter */
$config['system']['disablefilter'] = true

This could be done via a windows script triggered whenever.

Thinking though it would be easier just to disable all ports on the firewall and utilize VPN to your network.

+1 @Pete. Php is a better method than an SSH script. So, replace ssh script with php in the outline above.

Sent from my iPhone using Tapatalk

**Pete** · September 15, 2017, 01:54 PM

Yes you can just put in the login stuff in the php file and run the php file.

I do something similar today on my HS3 Pro box running in Linux (also has apache2 and php running though).

Just found a bash script that uses curl to log in and run php commands remotely on PFSense.

**cheeryfool** · September 15, 2017, 05:30 PM

I installed Squid today. Wow, what an eye opener! So much outbound chatter that I don't deem necessary and will enjoy blocking bit by bit. Even the Z-net is calling home frequently.

**Kerat** · September 15, 2017, 05:30 PM

[emoji1474]

Sent from my iPhone using Tapatalk

**logbuilder** · September 15, 2017, 06:24 PM

Originally posted by cheeryfool View Post

I installed Squid today. Wow, what an eye opener! So much outbound chatter that I don't deem necessary and will enjoy blocking bit by bit. Even the Z-net is calling home frequently.

Did you enable the proxy server?

**cheeryfool** · September 15, 2017, 06:34 PM

PFSense Firewall Group purchase interest

Originally posted by logbuilder View Post

Did you enable the proxy server?

Yes and the AV but def still learning.

**jrv** · September 15, 2017, 08:00 PM

Originally posted by Blade View Post

Thanks

I plugged in the QOTOM mini pc into my router and I can see the ip address for it but I cannot get to the web UI for pfsense

I'm guessing you're trying to access pfSense through its WAN port. That won't work since the pfSense UI won't respond on WAN by default.

What you need to do instead is connect to the LAN port and do enough configuration so that pfSense behaves the way you want on LAN and WAN.

I suggest plugging an ethernet cable from a computer with a browser to the LAN port - pfSense will provide DHCP Don't connect to your network at all yet. Then configure pfSense as appropriate to connect your network to the WAN or LAN port.

**logbuilder** · September 16, 2017, 02:31 AM

Interesting video about pfSense ver 2.5 requiring AES IN.

https://www.youtube.com/watch?v=C5ELmTb3wzg

**Pete** · September 16, 2017, 10:46 AM

Thank you Logbuilder.

**Blade** · September 16, 2017, 12:36 PM

Well I got my pfsense machine up and running.

Now I need to learn a lot more stuff in order to fine tune it

Thanks for the help

**Pete** · September 16, 2017, 12:47 PM

Good news Bob!

What makes PFSense is the rich easy on the eyes organized GUI. You do not have to be familiar with BSD. IE: the command line menu / options are really only utilized for the basics of the GUI connectivity.

Go baby steps as the base install is doing it's job. At this time all or most of the PFSense plugins are free.

The typical SOHO combination router, firewall, switch, AP today just doesn't have enough memory, ram for these added features.

I am seeing too that some of these micro multiport boxes now come with an access point and radios / antennas. Personally added an AP radio card to my PFSense set up a few years ago in the basement and didn't like it comparing it to my POE connected wireless access point. Removed the radio card after about a month or so.

**logbuilder** · September 16, 2017, 11:29 PM

After my rocky start, I thought an update might be appropriate.

pfsense WAN port is connected to my satellite modem.
I have 3 other ports on my pfsense box. They are now TRUSTED, GUEST, and IOT.
On TRUSTED, there is a dual band dd-wrt AP. Strong and different passwords on each band. These passwords will never be shared with anyone. Of course pfsense does DHCP. All devices are assigned static IP addresses. Eventually I'll set it so that only the known macs can get in.
Nothing on GUEST at this time. Need to find a cheap dual band router to use as AP. Passwords on this network will change based on visitors.
IOT has a tp-link dual band setup as an AP. Only 2.4 is actually being used since all my IOT devices are 2.4. Everything assigned static IPs based on mac. Will also eventually flip so that only known devices can access. For the most part, all devices are blocked from accessing anything outside of the IOT network.
ntopng installed and it has proven very helpful in seeing what devices are generating traffic. Quite easy to drill down on any device. Graphs are cool too but I tend to use the drill down. First set interface, then hosts, then filter on local and I have the devices. Then can drill down on whatever I'm interested in. Great tool. One of the keys is getting visibility on all devices. Using APs gives pfsense visibility to all devices on the AP.
Several firewall rules for both TRUSTED and IOT to handle specific tasks. As example, itunes was updating whenever it wanted. I have a free download window from 3am to 6am. With two rules, one of which involved a schedule, I got it limited to only the free window. Any access by itunes outside of the window is blocked.
squid and squidguard are installed. Transparent proxy seems to be working. Caching was also important but I don't think I have it setup quite right. Have used squidguard for some blacklists. I know there is far more potential in the squid arena than I have used or understand. I need to learn out how to proxy 443.
Now starting to look at VPN (or maybe IPSEC?). I have 3 ports forwarded and that bothers me. VPN should plug those holes. Lots of learning and testing to do on that.

Many thanks to Pete for getting me over the initial hump.

Announcement

PFSense Firewall Group purchase interest

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment