Originally posted by Kerat
View Post
Announcement
Collapse
No announcement yet.
PFSense Firewall Group purchase interest
Collapse
X
-
You can remote control PFSense via the command line. It is just PHP stuff.
Have a look here:
Using the PHP pfSense Shell
/* to disable the firewall filter */
$config['system']['disablefilter'] = true
This could be done via a windows script triggered whenever.
It would be a one liner script where you would SSH to your PFSense box and then run the command above.
Thinking though it would be easier just to disable all ports on the firewall and utilize VPN to your network.
What phone OS and Laptop OS are you using?- Pete
Auto matorHomeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram
HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant
Comment
-
Originally posted by logbuilder View PostI'm on a metered satellite connection so bandwidth is precious. When I'm away nothing but HS3/BlueIris should be talking externally. Its not critical. I just figured I'd ask and maybe someone had already figured it out.
Interesting. Conceptually there is a few ways to do what you want. We would need to work out how. Aside from putting a aeotech power switch on your modem (which would turn off all internet access) we could ip DHCP reserved your IP address to the server and create some firewall rules that can be turned on or off. What ip subnet are you using for your LAN? From what I remember firewall rules are placed in order and are handled exactly that way.
To do this
A. either DHCP assign an IP address to your server.
B. break out your firewall rule for internet access to:
LAN to access Internet into 2 parts.
1. HS3/NVR IP address to Internet
2. LAN subnet to Internet.
C. We may need to create a deny all as the final rule.
3. Deny access to Internet.
D. Then we need to work out how to disable/enable rule 2 from shell.
E. Create batch or bash script to disable rule 2 that HS3 can call.
F. Create batch or bash script to enable rule 2 that HS3 can call.
Sent from my iPhone using Tapatalk
Comment
-
PFSense Firewall Group purchase interest
Originally posted by Pete View PostYou can remote control PFSense via the command line. It is just PHP stuff.
Have a look here:
Using the PHP pfSense Shell
/* to disable the firewall filter */
$config['system']['disablefilter'] = true
This could be done via a windows script triggered whenever.
Thinking though it would be easier just to disable all ports on the firewall and utilize VPN to your network.
+1 @Pete. Php is a better method than an SSH script. So, replace ssh script with php in the outline above.
Sent from my iPhone using Tapatalk
Comment
-
Yes you can just put in the login stuff in the php file and run the php file.
I do something similar today on my HS3 Pro box running in Linux (also has apache2 and php running though).
Just found a bash script that uses curl to log in and run php commands remotely on PFSense.- Pete
Auto matorHomeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram
HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant
Comment
-
Originally posted by Blade View PostThanks
I plugged in the QOTOM mini pc into my router and I can see the ip address for it but I cannot get to the web UI for pfsense
What you need to do instead is connect to the LAN port and do enough configuration so that pfSense behaves the way you want on LAN and WAN.
I suggest plugging an ethernet cable from a computer with a browser to the LAN port - pfSense will provide DHCP Don't connect to your network at all yet. Then configure pfSense as appropriate to connect your network to the WAN or LAN port.
Comment
-
Interesting video about pfSense ver 2.5 requiring AES IN.
https://www.youtube.com/watch?v=C5ELmTb3wzg
Comment
-
Thank you Logbuilder.- Pete
Auto matorHomeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram
HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant
Comment
-
Good news Bob!
What makes PFSense is the rich easy on the eyes organized GUI. You do not have to be familiar with BSD. IE: the command line menu / options are really only utilized for the basics of the GUI connectivity.
Go baby steps as the base install is doing it's job. At this time all or most of the PFSense plugins are free.
The typical SOHO combination router, firewall, switch, AP today just doesn't have enough memory, ram for these added features.
I am seeing too that some of these micro multiport boxes now come with an access point and radios / antennas. Personally added an AP radio card to my PFSense set up a few years ago in the basement and didn't like it comparing it to my POE connected wireless access point. Removed the radio card after about a month or so.- Pete
Auto matorHomeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram
HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant
Comment
-
After my rocky start, I thought an update might be appropriate.
- pfsense WAN port is connected to my satellite modem.
- I have 3 other ports on my pfsense box. They are now TRUSTED, GUEST, and IOT.
- On TRUSTED, there is a dual band dd-wrt AP. Strong and different passwords on each band. These passwords will never be shared with anyone. Of course pfsense does DHCP. All devices are assigned static IP addresses. Eventually I'll set it so that only the known macs can get in.
- Nothing on GUEST at this time. Need to find a cheap dual band router to use as AP. Passwords on this network will change based on visitors.
- IOT has a tp-link dual band setup as an AP. Only 2.4 is actually being used since all my IOT devices are 2.4. Everything assigned static IPs based on mac. Will also eventually flip so that only known devices can access. For the most part, all devices are blocked from accessing anything outside of the IOT network.
- ntopng installed and it has proven very helpful in seeing what devices are generating traffic. Quite easy to drill down on any device. Graphs are cool too but I tend to use the drill down. First set interface, then hosts, then filter on local and I have the devices. Then can drill down on whatever I'm interested in. Great tool. One of the keys is getting visibility on all devices. Using APs gives pfsense visibility to all devices on the AP.
- Several firewall rules for both TRUSTED and IOT to handle specific tasks. As example, itunes was updating whenever it wanted. I have a free download window from 3am to 6am. With two rules, one of which involved a schedule, I got it limited to only the free window. Any access by itunes outside of the window is blocked.
- squid and squidguard are installed. Transparent proxy seems to be working. Caching was also important but I don't think I have it setup quite right. Have used squidguard for some blacklists. I know there is far more potential in the squid arena than I have used or understand. I need to learn out how to proxy 443.
- Now starting to look at VPN (or maybe IPSEC?). I have 3 ports forwarded and that bothers me. VPN should plug those holes. Lots of learning and testing to do on that.
Many thanks to Pete for getting me over the initial hump.
Comment
Comment