pfsense and Rules For IoT Devices with mDNS

Got into homelabing, and now I keep getting these videos recommended. And I never know that its the video Im looking for before I watch it, because it explained a concept that I'm not aware of. Then after I watched them I immediately have to go and implement it on my home network. Great work. Looking forward to the next recommended video of something exiting that im not yet aware of!

Brilliant. A bit lengthy, but this is necessary, if you start from scratch. I was already watching a lot of videos in this direction lately and now thanks to this channel (and especially this video), my completely separate IoT Network with ~40 devices work perfectly. The missing bit was mDNS to make chromecast work across networks. Thank you!

Love the video! I recently got some IOT stuff and had a similar setup but I like how you explain why you do things. This helps refine my setup to be more effective and less complicated. Thanks!

For anyone having trouble with this over WiFi. Some WiFi systems default to filtering broadcasts, so you may have to disable this filtering. For me it was Aruba "Broadcast Filtering" that defaults to allowing ARP only. Once this was disabled it worked perfectly.

I’m just getting started with PFSense and this is very helpful to me.
Thanks.

I needed this, thanks!

Once again, a Lawrence Systems video helped me fix a problem I didn't realize I had. My ESPHome devices for Home Assistant were not quite working after putting them on an IoT subnet/VLAN. They could be configured and updated and I could read the logs, but they were remained in the "OFFLINE" state in Home Assistant. Turns out they depend on mDNS to find Home Assistant and Avahi was the magic that was needed to make that now work. Thanks again!

Thanks for another informative video. Always love the pfSense related videos.

Awesome. Basic overview that was simple and straightforward 👍🏼👍🏼

I usually don't comment on videos! But this is to strange to let go by! Sometimes I think that you read my mind on the videos that I like! Great work and hope that 2019 brings only the best to your life (personal, work, youtube, etc!). Thank you

I can't believe you said "Your refrigerator being attacked..." This is the world we live in now. Brings a whole different meaning when you say things like "It's got everything but the kitchen sink."

Outstanding. Exactly what I needed and exactly the right detail.

Awesome! Please more pfsense videos! Thanks a million!

Good info as always Lawrence! Appreciate the knowledge sharing.

Thank you, I’ve really needed answers on how to accomplish this for a long time. As a noob, it seemed daunting to try to manage the ports that IoT needs to work on a separate network, and still let devices work with them from my trusted net. Very clear explanation, and concise video!

Thank you so much for all your videos!!!

Searches for refresher of securing iot vlan for my network overhaul. Of course, it's Lawrence. Thanks for all you do.

Very well done sir ! Thanks for sharing your knowledge :)

Great video. Thanks Tom!

exactly what i needed. thanks for teaching me pfsense bro

Hey Tom, great video, thanks!

Phenomenal description of securing IoT devices while still allowing actual secured devices to initiate communication and requests. Wildly helpful

Thanks much appreciated. 👍

Old video but super useful. Thanks Tom again

Thank you for another great video

Thanks Tom , really enjoyed your vid - IOT devices are a real problem but like anything , you just need to manage it (Personally I'm still old school I hate wireless) , thanks a bunch for giving us real world scenarios and solutions ... I have also implemented segregation at home , BW control etc .... Gold nuggets that you have taught me , I would like to request some additional implementations of security between devices on your local LAN wireless etc with certificates perhaps a brief discussion on the network configurations with pfsense , as additional layers one could implement ....thanking you kind regards
Lance

Another great video, thank you

Good video! thank you

Love the video. However, do you have a video on the same configuration for untangle?

Thank you.
Can I skip unifi switch and achieve the same with pfsense box and unifi access point?
Cheers

Great Video! Quick question, how can I block access to LAN except for few machines with specific ports (Between Sonos Controller and Sonos speakers), not mDNS, while maintaining internet access

A little late to the comments, but last week I decided to migrate my little linux box (failing, bad ram I suspect) with 2 unifi AP's and a netgate sg3100 based solely because of your excellent videos. You explain stuff VERY well (I actually understand what every option actually means), they are straight to the point, they actually work quite good and you have topics about... just everything! This was being a major PITA for me but the Chromecast works perfectly now! Thank you, thank you, thank you!!

Thanks

Hi, Am a big fan of your channel. Thank you for posting. On this episode you only over the firewall side (Pfsense) but about the UniFi Controller. Do I have to do some changes there too? Like enable IGMP snooping?

Great video. I have ran into situations where a camera NVR won't connect locally to the phone app, because it does not see it on the same network. I have tried everything, but have never found a work around. Have you ever ran into this? Also when I try and use Miracast to a tv on an Iot lan, it cant find it. Have you ran into this as well?

How would you go about preventing lateral movement inside the 172 network with unifi switches/ap's and pfSense as firewall? Isolating each device on separate vlans does not really scale

Thanks for the helpful video. This was exactly what I needed to set up my ADT system on OPT1. It has it's own Wi-Fi router for some of the sensors and who knows whether the firmware is ever updated. Keep 'em coming. Also, you might want to remind people to reset their state tables once in a while when a making changes. That really helped me out setting up my OPT1 configs.

I was wondering if you have had to try and get casting to work with a roku tv with this setup. I have not had any luck. any suggestions would really be great.

Hey! Just followed you video, but I can't cast anyhing to my chromecast. I seted up Avahi, I hae rules in Smarthome firewall which let the chromecast to anywhere, and I have a rule in LAN firewall, to let anything to the ChromeCast. What am I missing?

Great vid and quite topical as I am building my iot network before the iot devices on my internal network grows any larger than they already are....
Q: Would it be better to put a Plex server along with the file server that supports it on the IOT network with the Amazon Fire's etc or can they remain on the trusted network?

Just wanted to highlight something - even though you're right - The ping is an ICMP packet, and thus does not fall into the rule that you just made. (I know, it does fall into the implicit block however, but I guess a more apt test would be to test curl or wget towards one of the internal machines). Am I wrong in this?

Do one for EdgeRouter

Avahi recommends caution when enabling publishing settings, and has them all off by default; however they are all enabled in this video. I am having a hard time finding anyone that actually explains the scope, and necessity of these setting; why are they not even mentioned?

Hi Lawrence, what about if you need to access DLNA content from a NAS located in a different VLAN but cast the video to smart TV's in the IoT network? Any Idea how to approach that?

Question about mDNS on PF, like you I have many VLANs and have isolated the Internet Of Turd 💩 device(s) and gone the extra step(s) of only allowing a device to use 8.8.8.8 DNS, any HTTP/S and NTP and the multicast protocol.
mDNS and DNS are two completely different services and protocols but I get odd timeouts resolved by EITHER
switching the IoT device to use the PF box as the DHCP assigned DNS server.
OR
Re-leasing the IP address of the non-IoT device trying to reach the IoT device 🤔
It’s puzzling because they’re three different services and protocols,
Tip remember Avahi as “I Have A”

I've been beating my head against a wall for months working on this. I've enable Avahi and have my rules in pfSense correct but I still can't see "cast" devices across VLANS. Is it because my LAN is getting it's DHCP and DNS from my domain controllers and not pfSense?

As a ict/netwerk enthousiast I love your videos. For me they are a goldmine of information. Thnx for sharing all this knowledge 👍

This is a great explanation. However, a question; What's the point of setting the source to IOT net vs just using *? As IOT net is the whole subnet of that VLAN.

thanks, can you do any update video on Network of things, pfsense rules for that and how they can communicate between IOT

I'm trying to setup my Sonos One in a different subnet like this, but it doesn't work with avahi. Can you please help me?

I find HomeKit still doesn't work well correctly with this setup. Are there known bugs, etc for Avahi? Is there a method to do this without?

3:38 I don't think the refrigerator would be wandering around.
If anything, it would be running.
I'll see myself out.

I couldn't get it working until I allowed the IOT network to talk to the LAN. I had blocked this initially and only allowed internet access. Chromecast would not work and in my firewall logs, I saw attempts from the device to connect to the LAN on port 8010... It wasn't until I allowed this that I could cast movies on my TV

Anybody have experience getting UA-cam casting to work with the Amazon Fire Stick 4K? Casting works with the Chromecast, but not the Fire Stick. It just hangs after selecting the device.

Using aliases is awesome. I like to use a RFC_1918 (10.0.0.0/8, 172.16.0.0/12,192.168.0.0/16) alias to cover all private networks. Then use invert match just like you to limit to only "internet" access, this way future internal networks is automatically blocked for things like IOT/GUEST.

May we see the rules from the other networks to get into IOT?

Hello, how can i setup mdns “.local” domain on windows computer?

Is there a recent tutorial on Avahi the interface has changed again

I have a Synology NAS running a Plex server on my network and would like my firesticks & Nvidia shield devices on the IOT vlan but have access to plex. Is this possible?

I'd love for someone to go over "invert match" more extensively. I'm very curious.

Thanks for sharing.
I have one question is possible a plex client on the iot network communicate with a plex server on the private network ?
Thanks again

Thank you for the video Lawrence!
Have you heard about OPNsense and have you tried it ? I am looking to build my own firewall at home and am a bit lost between pfsense and opnsense that both looks great. Thanks!

As soon as I activate the firewall rule I can see the AirPlay devices but not play them anymore. iTunes error something like can not connect. I have the same VLAN structure with UniFi hardware. Does anyone have an idea of what I can do?

Tom, Thanks for the nice video.
I do have a question tho.
On the IoT VLAN you do provide DHCP for the IoT devices, but do you also provide DNS settings in the leases?
Or do all IoT devices have default DNS settings provided of their own?
Because with this one rule on the IoT interface, devices cannot lookup DNS on the PFSense box, so if they don't have their own DNS settings, they will fail to communicate to the outside. I mean, they cannot do DNS lookups, so they fail.
But I will built this at home, this is a great tip for keeping al those creepy IoT fu**ers out of my LAN ;-)

The last update to Avahi seems to be dated July 2017.
Is it no longer maintained, or has there simply been no reason to provide an updated version yet?

Hello chap
What do you use to draw your diagrams? Was looking at Micro$oft Visio but don't want to pay £500+ for it, and Pencil Project seems to be a bit too complicated for what I want to do....
Great video and keep up the great work.

I appreciate this info, thanks! question about blocking traffic. if my sonos speakers are on my iot vlan and my inter vlan traffic is blocked, do I just need to allow private network to access sonos speakers, but sonos speakers don't need to access private vlan? if the request for music is made from private to sonos, they will answer, even when they are blocked on the lot side?

I have an odd issue here. I've had this setup for over a year and don't use it too often but know it worked in the past. I went to use it the other day from within the UA-cam app on my iPhone and to my surprise, no devices were located. I made sure avahi was still running and for the heck of it tried another app with the cast function (Amazon Prime Video) and low and behold the device list was full of what I expected to see. I then jumped over to my IoT WiFi network and went back into UA-cam, this time the devices were located. I have two Chromecast Ultras and a Vizio TV with a built in Chromecast, when inside UA-cam on my LAN network, no devices show up, from within Prime Video they all do, when on the IoT WiFi they show up in UA-cam. Any secret to get the devices to populate inside UA-cam?

Exactly what I was looking for. One question, what about cameras? Would it be best to create a third network and put your PVR on that with the cameras or just keep them all on he IOT network. I assume you could then go in and block domains on that network so they can’t send data back to China?

can plex still work on this setup?

Do you ever enable in PFsense UPnP for the IOT interface?

How do you get the dark mode on pfSense?

I tried it on my network and it doesn't work... I will soon give up on trying to make it work.

Do you need a separate wireless AP when isolating iot devices?

I may have missed it, but setting up a vlan requires a switch that supports vlans. No specialized switch and as far as I know vlans will not work with pfSense or anything else unless you have an extra NIC in which case Vlans don't apply. If Vlans with pfsense work without a vlan specific switch, do a video showing up please.

"if your refrigerator gets compromised, it [shouldn't] become an attack vector" is actually an odd sentence if you think about it

Is it correct that it is still possible to ping other private networks despite the rule at 10:37 and get a reply from hosts in the other private networks? I applied your rule 10:37 and get ping answers from outside. As soon as rule 10:37 is disabled no more ping answers from other networks. This is confusing/irritating! You should clarify/mention this.

HI Tom, question for you have been following your videos to setup a Protectli box to learn pfsense and have a question. I would have come across some posts suggesting that logging will destroy the 32GB ssd quickly, is this the case? Also is there a way to setup pfsense to use a second hard drive for /var directoy and the other directories which have a lot of writes so the main m.2 ssd wont take the hits. Would appreciate any feedback you can give thanks for sharing.

Tom, why not just have a block everything rule in your IOT network that says "Source=IOT Network; Destination=LAN". This should block all communication from IOT to LAN but still allow IOT internet access and for DNS lookups. What am I missing here?

Any suggestion on doing with Unifi USG?

How can I do this on a complete unifi setup?

What application is he using to graph his network?

Would this also work for Google Home speakers?

Doesn't work, followed your instructions to the T and my IoT network can still see my trusted network.

Can a USG handle this too?

Minor thing (as you got it right in the device ip config), but AOL has 172.128.0.0/10 - you put 172.168.69.0/24 at the top 🤓 honest mistake - otherwise neat video

I actually want the BOTH for IoT devices. Absolutely NO internet access OR trusted network acces. If it *requires* internet access to function, then i dont need or want it. I want any IoT device on its own, segregated network that doesnt talk to anything else outside of that network. IMO, it has no real, technical need to do so for its basic function.

Audio seems a bit wonky. After a pause, the first couple words are silenced. Forces me to "fill in the blanks" for much of what you're saying. Could be something at my end, but only seems to be happening on this video.

uh-VAH-hee
Three syllables, stress on the second.
Boom. Done.

Best solution: Even if you get one dont bother with it. It is most likely an useless gimmick so there is no point wasting time on creating an isolated network for it.

17 minutes video that could've been under 5 minutes... I mean it was informative and all but compressing information without losing details would certainly help in some cases.