Got into homelabing, and now I keep getting these videos recommended. And I never know that its the video Im looking for before I watch it, because it explained a concept that I'm not aware of. Then after I watched them I immediately have to go and implement it on my home network. Great work. Looking forward to the next recommended video of something exiting that im not yet aware of!
So I guess its great work to you because the video is very good, easy to understand. And also, strangely enough, good job to youtube algorithm.. hmm feels weird just writing that sentence...
For anyone having trouble with this over WiFi. Some WiFi systems default to filtering broadcasts, so you may have to disable this filtering. For me it was Aruba "Broadcast Filtering" that defaults to allowing ARP only. Once this was disabled it worked perfectly.
Brilliant. A bit lengthy, but this is necessary, if you start from scratch. I was already watching a lot of videos in this direction lately and now thanks to this channel (and especially this video), my completely separate IoT Network with ~40 devices work perfectly. The missing bit was mDNS to make chromecast work across networks. Thank you!
Once again, a Lawrence Systems video helped me fix a problem I didn't realize I had. My ESPHome devices for Home Assistant were not quite working after putting them on an IoT subnet/VLAN. They could be configured and updated and I could read the logs, but they were remained in the "OFFLINE" state in Home Assistant. Turns out they depend on mDNS to find Home Assistant and Avahi was the magic that was needed to make that now work. Thanks again!
Same exact thoughts. My server network is on a different subnet than my "home network". Suffice to say my Home Assistant is on the server network and needs to speak to Apple TV, Sonos, and everything else on the home subnet. @LawrenceSystems Tom is always a head of me. This time by 4 years.
A little late to the comments, but last week I decided to migrate my little linux box (failing, bad ram I suspect) with 2 unifi AP's and a netgate sg3100 based solely because of your excellent videos. You explain stuff VERY well (I actually understand what every option actually means), they are straight to the point, they actually work quite good and you have topics about... just everything! This was being a major PITA for me but the Chromecast works perfectly now! Thank you, thank you, thank you!!
I can't believe you said "Your refrigerator being attacked..." This is the world we live in now. Brings a whole different meaning when you say things like "It's got everything but the kitchen sink."
Thank you, I’ve really needed answers on how to accomplish this for a long time. As a noob, it seemed daunting to try to manage the ports that IoT needs to work on a separate network, and still let devices work with them from my trusted net. Very clear explanation, and concise video!
Love the video! I recently got some IOT stuff and had a similar setup but I like how you explain why you do things. This helps refine my setup to be more effective and less complicated. Thanks!
Avahi recommends caution when enabling publishing settings, and has them all off by default; however they are all enabled in this video. I am having a hard time finding anyone that actually explains the scope, and necessity of these setting; why are they not even mentioned?
I usually don't comment on videos! But this is to strange to let go by! Sometimes I think that you read my mind on the videos that I like! Great work and hope that 2019 brings only the best to your life (personal, work, youtube, etc!). Thank you
How would you go about preventing lateral movement inside the 172 network with unifi switches/ap's and pfSense as firewall? Isolating each device on separate vlans does not really scale
Thanks for the helpful video. This was exactly what I needed to set up my ADT system on OPT1. It has it's own Wi-Fi router for some of the sensors and who knows whether the firmware is ever updated. Keep 'em coming. Also, you might want to remind people to reset their state tables once in a while when a making changes. That really helped me out setting up my OPT1 configs.
Using aliases is awesome. I like to use a RFC_1918 (10.0.0.0/8, 172.16.0.0/12,192.168.0.0/16) alias to cover all private networks. Then use invert match just like you to limit to only "internet" access, this way future internal networks is automatically blocked for things like IOT/GUEST.
@@fedemtz6 I might be missing something but if two things in the same subnet wants to communicate with eachother , the traffic wouldnt go through the gateway anyway since its just direct layer2 communcation?
Thanks Tom , really enjoyed your vid - IOT devices are a real problem but like anything , you just need to manage it (Personally I'm still old school I hate wireless) , thanks a bunch for giving us real world scenarios and solutions ... I have also implemented segregation at home , BW control etc .... Gold nuggets that you have taught me , I would like to request some additional implementations of security between devices on your local LAN wireless etc with certificates perhaps a brief discussion on the network configurations with pfsense , as additional layers one could implement ....thanking you kind regards Lance
Question about mDNS on PF, like you I have many VLANs and have isolated the Internet Of Turd 💩 device(s) and gone the extra step(s) of only allowing a device to use 8.8.8.8 DNS, any HTTP/S and NTP and the multicast protocol. mDNS and DNS are two completely different services and protocols but I get odd timeouts resolved by EITHER switching the IoT device to use the PF box as the DHCP assigned DNS server. OR Re-leasing the IP address of the non-IoT device trying to reach the IoT device 🤔 It’s puzzling because they’re three different services and protocols, Tip remember Avahi as “I Have A”
Just wanted to highlight something - even though you're right - The ping is an ICMP packet, and thus does not fall into the rule that you just made. (I know, it does fall into the implicit block however, but I guess a more apt test would be to test curl or wget towards one of the internal machines). Am I wrong in this?
4 роки тому+1
Hey! Just followed you video, but I can't cast anyhing to my chromecast. I seted up Avahi, I hae rules in Smarthome firewall which let the chromecast to anywhere, and I have a rule in LAN firewall, to let anything to the ChromeCast. What am I missing?
Great Video! Quick question, how can I block access to LAN except for few machines with specific ports (Between Sonos Controller and Sonos speakers), not mDNS, while maintaining internet access
This is a great explanation. However, a question; What's the point of setting the source to IOT net vs just using *? As IOT net is the whole subnet of that VLAN.
Great video. I have ran into situations where a camera NVR won't connect locally to the phone app, because it does not see it on the same network. I have tried everything, but have never found a work around. Have you ever ran into this? Also when I try and use Miracast to a tv on an Iot lan, it cant find it. Have you ran into this as well?
I was wondering if you have had to try and get casting to work with a roku tv with this setup. I have not had any luck. any suggestions would really be great.
I've been beating my head against a wall for months working on this. I've enable Avahi and have my rules in pfSense correct but I still can't see "cast" devices across VLANS. Is it because my LAN is getting it's DHCP and DNS from my domain controllers and not pfSense?
I couldn't get it working until I allowed the IOT network to talk to the LAN. I had blocked this initially and only allowed internet access. Chromecast would not work and in my firewall logs, I saw attempts from the device to connect to the LAN on port 8010... It wasn't until I allowed this that I could cast movies on my TV
Great vid and quite topical as I am building my iot network before the iot devices on my internal network grows any larger than they already are.... Q: Would it be better to put a Plex server along with the file server that supports it on the IOT network with the Amazon Fire's etc or can they remain on the trusted network?
Hi, Am a big fan of your channel. Thank you for posting. On this episode you only over the firewall side (Pfsense) but about the UniFi Controller. Do I have to do some changes there too? Like enable IGMP snooping?
I appreciate this info, thanks! question about blocking traffic. if my sonos speakers are on my iot vlan and my inter vlan traffic is blocked, do I just need to allow private network to access sonos speakers, but sonos speakers don't need to access private vlan? if the request for music is made from private to sonos, they will answer, even when they are blocked on the lot side?
Hi Lawrence, what about if you need to access DLNA content from a NAS located in a different VLAN but cast the video to smart TV's in the IoT network? Any Idea how to approach that?
Is it correct that it is still possible to ping other private networks despite the rule at 10:37 and get a reply from hosts in the other private networks? I applied your rule 10:37 and get ping answers from outside. As soon as rule 10:37 is disabled no more ping answers from other networks. This is confusing/irritating! You should clarify/mention this.
Tom, why not just have a block everything rule in your IOT network that says "Source=IOT Network; Destination=LAN". This should block all communication from IOT to LAN but still allow IOT internet access and for DNS lookups. What am I missing here?
He has more subnets than just LAN. I think what you could do is have one rule that allows IOT through to WAN everything elese would remain blocked by default
Thank you for the video Lawrence! Have you heard about OPNsense and have you tried it ? I am looking to build my own firewall at home and am a bit lost between pfsense and opnsense that both looks great. Thanks!
I have a Synology NAS running a Plex server on my network and would like my firesticks & Nvidia shield devices on the IOT vlan but have access to plex. Is this possible?
I have an odd issue here. I've had this setup for over a year and don't use it too often but know it worked in the past. I went to use it the other day from within the UA-cam app on my iPhone and to my surprise, no devices were located. I made sure avahi was still running and for the heck of it tried another app with the cast function (Amazon Prime Video) and low and behold the device list was full of what I expected to see. I then jumped over to my IoT WiFi network and went back into UA-cam, this time the devices were located. I have two Chromecast Ultras and a Vizio TV with a built in Chromecast, when inside UA-cam on my LAN network, no devices show up, from within Prime Video they all do, when on the IoT WiFi they show up in UA-cam. Any secret to get the devices to populate inside UA-cam?
Anybody have experience getting UA-cam casting to work with the Amazon Fire Stick 4K? Casting works with the Chromecast, but not the Fire Stick. It just hangs after selecting the device.
The last update to Avahi seems to be dated July 2017. Is it no longer maintained, or has there simply been no reason to provide an updated version yet?
Exactly what I was looking for. One question, what about cameras? Would it be best to create a third network and put your PVR on that with the cameras or just keep them all on he IOT network. I assume you could then go in and block domains on that network so they can’t send data back to China?
Blake E personally I would put it on a separate network that has no access to the internet or anything else for that matter. You could still access your cameras from the outside via vpn
I may have missed it, but setting up a vlan requires a switch that supports vlans. No specialized switch and as far as I know vlans will not work with pfSense or anything else unless you have an extra NIC in which case Vlans don't apply. If Vlans with pfsense work without a vlan specific switch, do a video showing up please.
Thanks for sharing. I have one question is possible a plex client on the iot network communicate with a plex server on the private network ? Thanks again
@s0n1kpt, you definitely want the plex client on the IOT network, so you can add a higher priority rule that allows the IOT network to initiate a connection to the plex server using only the ports that plex requires to communicate (which will include tcp/32400 by default, and maybe some others, you will need to test)
As soon as I activate the firewall rule I can see the AirPlay devices but not play them anymore. iTunes error something like can not connect. I have the same VLAN structure with UniFi hardware. Does anyone have an idea of what I can do?
Hello chap What do you use to draw your diagrams? Was looking at Micro$oft Visio but don't want to pay £500+ for it, and Pencil Project seems to be a bit too complicated for what I want to do.... Great video and keep up the great work.
HI Tom, question for you have been following your videos to setup a Protectli box to learn pfsense and have a question. I would have come across some posts suggesting that logging will destroy the 32GB ssd quickly, is this the case? Also is there a way to setup pfsense to use a second hard drive for /var directoy and the other directories which have a lot of writes so the main m.2 ssd wont take the hits. Would appreciate any feedback you can give thanks for sharing.
That is not really a concern unless you are logging several thousand computers with detailed logging, and even then it would more likely take years. While it is true that SSD can see wear from frequent small writes, it takes years and years before it is an issue.
Hi Tom, follow up question have been testing over last few days following your videos and some netgate ones as well have set up pia as the wan and was setting up pfblocker and when I added the dns rules to force dns through pfsense dns resolution breaks. I checked the general settings and turned off the dns server override that allows c9nnectikns over the nor al wan but not over over tue pia connection. What am I missing here
Hi Tom just letting you know I solved the issue my linux installation resolv config file wasn't updating and had dns servers not listed in the pfsense dns list hence why dns was being blocked when I turned on the dns firewall rules. So thanks again for your help.
PC Wizrd there is a Guide for using the USG but I really have issues using the chromecast. Most times it doesn’t work, only sometimes. The USG seems to have a few issues with the mDNS.
Same for me. Wouldn’t it be better to have a dedicated VLan for items like Emby, Sonos, items needing mDns, and the IoT network, with Avahi making the bridge? In my IoT, devices are not seeing each other. Am I doing it wrong?
Tom, Thanks for the nice video. I do have a question tho. On the IoT VLAN you do provide DHCP for the IoT devices, but do you also provide DNS settings in the leases? Or do all IoT devices have default DNS settings provided of their own? Because with this one rule on the IoT interface, devices cannot lookup DNS on the PFSense box, so if they don't have their own DNS settings, they will fail to communicate to the outside. I mean, they cannot do DNS lookups, so they fail. But I will built this at home, this is a great tip for keeping al those creepy IoT fu**ers out of my LAN ;-)
Minor thing (as you got it right in the device ip config), but AOL has 172.128.0.0/10 - you put 172.168.69.0/24 at the top 🤓 honest mistake - otherwise neat video
Chris King i assume that you are helping other people understand what I was referring to as it is really obvious to a networking professional like Lawrence and myself :) happy new year Chris
I actually want the BOTH for IoT devices. Absolutely NO internet access OR trusted network acces. If it *requires* internet access to function, then i dont need or want it. I want any IoT device on its own, segregated network that doesnt talk to anything else outside of that network. IMO, it has no real, technical need to do so for its basic function.
Audio seems a bit wonky. After a pause, the first couple words are silenced. Forces me to "fill in the blanks" for much of what you're saying. Could be something at my end, but only seems to be happening on this video.
Best solution: Even if you get one dont bother with it. It is most likely an useless gimmick so there is no point wasting time on creating an isolated network for it.
17 minutes video that could've been under 5 minutes... I mean it was informative and all but compressing information without losing details would certainly help in some cases.
The actual doing section was around 10 min. For most people that dont have any background the theory or the why do this section up front is nice. There was alot of info here but there shouldnt be many questions after beating it into the ground.
I sometimes just skip to the meat and potatoes on videos. He’s catering to a large subset of people, some of them who are not L3/Sysadmins/DirOfTech/Etc. Some may be squarely L1 techs or single man IT company types.
Got into homelabing, and now I keep getting these videos recommended. And I never know that its the video Im looking for before I watch it, because it explained a concept that I'm not aware of. Then after I watched them I immediately have to go and implement it on my home network. Great work. Looking forward to the next recommended video of something exiting that im not yet aware of!
So I guess its great work to you because the video is very good, easy to understand. And also, strangely enough, good job to youtube algorithm.. hmm feels weird just writing that sentence...
For anyone having trouble with this over WiFi. Some WiFi systems default to filtering broadcasts, so you may have to disable this filtering. For me it was Aruba "Broadcast Filtering" that defaults to allowing ARP only. Once this was disabled it worked perfectly.
Brilliant. A bit lengthy, but this is necessary, if you start from scratch. I was already watching a lot of videos in this direction lately and now thanks to this channel (and especially this video), my completely separate IoT Network with ~40 devices work perfectly. The missing bit was mDNS to make chromecast work across networks. Thank you!
Once again, a Lawrence Systems video helped me fix a problem I didn't realize I had. My ESPHome devices for Home Assistant were not quite working after putting them on an IoT subnet/VLAN. They could be configured and updated and I could read the logs, but they were remained in the "OFFLINE" state in Home Assistant. Turns out they depend on mDNS to find Home Assistant and Avahi was the magic that was needed to make that now work. Thanks again!
Same exact thoughts. My server network is on a different subnet than my "home network". Suffice to say my Home Assistant is on the server network and needs to speak to Apple TV, Sonos, and everything else on the home subnet. @LawrenceSystems Tom is always a head of me. This time by 4 years.
Phenomenal description of securing IoT devices while still allowing actual secured devices to initiate communication and requests. Wildly helpful
Thanks, I love making things that people consider " Wildly helpful"
I’m just getting started with PFSense and this is very helpful to me.
Thanks.
Exactly what i searched 🥳👍
Searches for refresher of securing iot vlan for my network overhaul. Of course, it's Lawrence. Thanks for all you do.
A little late to the comments, but last week I decided to migrate my little linux box (failing, bad ram I suspect) with 2 unifi AP's and a netgate sg3100 based solely because of your excellent videos. You explain stuff VERY well (I actually understand what every option actually means), they are straight to the point, they actually work quite good and you have topics about... just everything! This was being a major PITA for me but the Chromecast works perfectly now! Thank you, thank you, thank you!!
I can't believe you said "Your refrigerator being attacked..." This is the world we live in now. Brings a whole different meaning when you say things like "It's got everything but the kitchen sink."
Thank you, I’ve really needed answers on how to accomplish this for a long time. As a noob, it seemed daunting to try to manage the ports that IoT needs to work on a separate network, and still let devices work with them from my trusted net. Very clear explanation, and concise video!
Glad it helped!
3:38 I don't think the refrigerator would be wandering around.
If anything, it would be running.
I'll see myself out.
Love the video! I recently got some IOT stuff and had a similar setup but I like how you explain why you do things. This helps refine my setup to be more effective and less complicated. Thanks!
Avahi recommends caution when enabling publishing settings, and has them all off by default; however they are all enabled in this video. I am having a hard time finding anyone that actually explains the scope, and necessity of these setting; why are they not even mentioned?
I usually don't comment on videos! But this is to strange to let go by! Sometimes I think that you read my mind on the videos that I like! Great work and hope that 2019 brings only the best to your life (personal, work, youtube, etc!). Thank you
Outstanding. Exactly what I needed and exactly the right detail.
exactly what i needed. thanks for teaching me pfsense bro
How would you go about preventing lateral movement inside the 172 network with unifi switches/ap's and pfSense as firewall? Isolating each device on separate vlans does not really scale
Awesome! Please more pfsense videos! Thanks a million!
Thanks for another informative video. Always love the pfSense related videos.
Old video but super useful. Thanks Tom again
Thanks for the helpful video. This was exactly what I needed to set up my ADT system on OPT1. It has it's own Wi-Fi router for some of the sensors and who knows whether the firmware is ever updated. Keep 'em coming. Also, you might want to remind people to reset their state tables once in a while when a making changes. That really helped me out setting up my OPT1 configs.
Using aliases is awesome. I like to use a RFC_1918 (10.0.0.0/8, 172.16.0.0/12,192.168.0.0/16) alias to cover all private networks. Then use invert match just like you to limit to only "internet" access, this way future internal networks is automatically blocked for things like IOT/GUEST.
if you do that just make sure to add a rule before that one that allows traffic from the IOT/GUEST Net to the IOT/GUEST Net
@@fedemtz6 I might be missing something but if two things in the same subnet wants to communicate with eachother , the traffic wouldnt go through the gateway anyway since its just direct layer2 communcation?
@@vitektony I have the same question, did you got an answer. (About the "rules in a subnet to the same subnet"- question)
@@daniel_2 No but I am quite confident that it works the way I stated above.
so what is your ip subnet for iot?
Thanks Tom , really enjoyed your vid - IOT devices are a real problem but like anything , you just need to manage it (Personally I'm still old school I hate wireless) , thanks a bunch for giving us real world scenarios and solutions ... I have also implemented segregation at home , BW control etc .... Gold nuggets that you have taught me , I would like to request some additional implementations of security between devices on your local LAN wireless etc with certificates perhaps a brief discussion on the network configurations with pfsense , as additional layers one could implement ....thanking you kind regards
Lance
Awesome. Basic overview that was simple and straightforward 👍🏼👍🏼
Thank you.
Can I skip unifi switch and achieve the same with pfsense box and unifi access point?
Cheers
Question about mDNS on PF, like you I have many VLANs and have isolated the Internet Of Turd 💩 device(s) and gone the extra step(s) of only allowing a device to use 8.8.8.8 DNS, any HTTP/S and NTP and the multicast protocol.
mDNS and DNS are two completely different services and protocols but I get odd timeouts resolved by EITHER
switching the IoT device to use the PF box as the DHCP assigned DNS server.
OR
Re-leasing the IP address of the non-IoT device trying to reach the IoT device 🤔
It’s puzzling because they’re three different services and protocols,
Tip remember Avahi as “I Have A”
As a ict/netwerk enthousiast I love your videos. For me they are a goldmine of information. Thnx for sharing all this knowledge 👍
Just wanted to highlight something - even though you're right - The ping is an ICMP packet, and thus does not fall into the rule that you just made. (I know, it does fall into the implicit block however, but I guess a more apt test would be to test curl or wget towards one of the internal machines). Am I wrong in this?
Hey! Just followed you video, but I can't cast anyhing to my chromecast. I seted up Avahi, I hae rules in Smarthome firewall which let the chromecast to anywhere, and I have a rule in LAN firewall, to let anything to the ChromeCast. What am I missing?
Very well done sir ! Thanks for sharing your knowledge :)
Love the video. However, do you have a video on the same configuration for untangle?
Thank you so much for all your videos!!!
Great Video! Quick question, how can I block access to LAN except for few machines with specific ports (Between Sonos Controller and Sonos speakers), not mDNS, while maintaining internet access
Hey Tom, great video, thanks!
This is a great explanation. However, a question; What's the point of setting the source to IOT net vs just using *? As IOT net is the whole subnet of that VLAN.
thanks, can you do any update video on Network of things, pfsense rules for that and how they can communicate between IOT
I don't understand the question
I needed this, thanks!
Good info as always Lawrence! Appreciate the knowledge sharing.
May we see the rules from the other networks to get into IOT?
Great video. I have ran into situations where a camera NVR won't connect locally to the phone app, because it does not see it on the same network. I have tried everything, but have never found a work around. Have you ever ran into this? Also when I try and use Miracast to a tv on an Iot lan, it cant find it. Have you ran into this as well?
I was wondering if you have had to try and get casting to work with a roku tv with this setup. I have not had any luck. any suggestions would really be great.
Do one for EdgeRouter
I've been beating my head against a wall for months working on this. I've enable Avahi and have my rules in pfSense correct but I still can't see "cast" devices across VLANS. Is it because my LAN is getting it's DHCP and DNS from my domain controllers and not pfSense?
I couldn't get it working until I allowed the IOT network to talk to the LAN. I had blocked this initially and only allowed internet access. Chromecast would not work and in my firewall logs, I saw attempts from the device to connect to the LAN on port 8010... It wasn't until I allowed this that I could cast movies on my TV
Great vid and quite topical as I am building my iot network before the iot devices on my internal network grows any larger than they already are....
Q: Would it be better to put a Plex server along with the file server that supports it on the IOT network with the Amazon Fire's etc or can they remain on the trusted network?
Hi, Am a big fan of your channel. Thank you for posting. On this episode you only over the firewall side (Pfsense) but about the UniFi Controller. Do I have to do some changes there too? Like enable IGMP snooping?
Yes, I believe with the latest UniFi firmware you need to enable IGMP Snooping.
Great video. Thanks Tom!
I find HomeKit still doesn't work well correctly with this setup. Are there known bugs, etc for Avahi? Is there a method to do this without?
I appreciate this info, thanks! question about blocking traffic. if my sonos speakers are on my iot vlan and my inter vlan traffic is blocked, do I just need to allow private network to access sonos speakers, but sonos speakers don't need to access private vlan? if the request for music is made from private to sonos, they will answer, even when they are blocked on the lot side?
Not really sure what Sonos requires to work.
@@LAWRENCESYSTEMS I wasn't referring to sonos specifically, just devices, and trying to ask if endpoints could answer requests through a block rule.
Hi Lawrence, what about if you need to access DLNA content from a NAS located in a different VLAN but cast the video to smart TV's in the IoT network? Any Idea how to approach that?
Is it correct that it is still possible to ping other private networks despite the rule at 10:37 and get a reply from hosts in the other private networks? I applied your rule 10:37 and get ping answers from outside. As soon as rule 10:37 is disabled no more ping answers from other networks. This is confusing/irritating! You should clarify/mention this.
Sorry, it's my fault. I had a rule (overseen) for ICMP to allow this.
can plex still work on this setup?
Thanks much appreciated. 👍
Tom, why not just have a block everything rule in your IOT network that says "Source=IOT Network; Destination=LAN". This should block all communication from IOT to LAN but still allow IOT internet access and for DNS lookups. What am I missing here?
He has more subnets than just LAN. I think what you could do is have one rule that allows IOT through to WAN everything elese would remain blocked by default
Correct, that rule would work if there was only one network.
"if your refrigerator gets compromised, it [shouldn't] become an attack vector" is actually an odd sentence if you think about it
Is there a recent tutorial on Avahi the interface has changed again
Thank you for the video Lawrence!
Have you heard about OPNsense and have you tried it ? I am looking to build my own firewall at home and am a bit lost between pfsense and opnsense that both looks great. Thanks!
I prefer pfSense, there is not really anything that opensense offer's that makes me want to switch.
Hello, how can i setup mdns “.local” domain on windows computer?
I'd love for someone to go over "invert match" more extensively. I'm very curious.
Do you need a separate wireless AP when isolating iot devices?
That depends if the wireless AP you have supports creating separate VLANS
How can I do this on a complete unifi setup?
This might help you.. help.ubnt.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network
I have a Synology NAS running a Plex server on my network and would like my firesticks & Nvidia shield devices on the IOT vlan but have access to plex. Is this possible?
I have an odd issue here. I've had this setup for over a year and don't use it too often but know it worked in the past. I went to use it the other day from within the UA-cam app on my iPhone and to my surprise, no devices were located. I made sure avahi was still running and for the heck of it tried another app with the cast function (Amazon Prime Video) and low and behold the device list was full of what I expected to see. I then jumped over to my IoT WiFi network and went back into UA-cam, this time the devices were located. I have two Chromecast Ultras and a Vizio TV with a built in Chromecast, when inside UA-cam on my LAN network, no devices show up, from within Prime Video they all do, when on the IoT WiFi they show up in UA-cam. Any secret to get the devices to populate inside UA-cam?
I'm trying to setup my Sonos One in a different subnet like this, but it doesn't work with avahi. Can you please help me?
Anybody have experience getting UA-cam casting to work with the Amazon Fire Stick 4K? Casting works with the Chromecast, but not the Fire Stick. It just hangs after selecting the device.
Thank you for another great video
Thanks
The last update to Avahi seems to be dated July 2017.
Is it no longer maintained, or has there simply been no reason to provide an updated version yet?
That standard has been around since 2013 so I would say it's not likely that it needed any changes.
Exactly what I was looking for. One question, what about cameras? Would it be best to create a third network and put your PVR on that with the cameras or just keep them all on he IOT network. I assume you could then go in and block domains on that network so they can’t send data back to China?
Blake E personally I would put it on a separate network that has no access to the internet or anything else for that matter. You could still access your cameras from the outside via vpn
Paul Spielvogel Agreed. Thanks
I may have missed it, but setting up a vlan requires a switch that supports vlans. No specialized switch and as far as I know vlans will not work with pfSense or anything else unless you have an extra NIC in which case Vlans don't apply. If Vlans with pfsense work without a vlan specific switch, do a video showing up please.
VLANS only work with switches that have VLAN support
Thanks for sharing.
I have one question is possible a plex client on the iot network communicate with a plex server on the private network ?
Thanks again
@s0n1kpt, you definitely want the plex client on the IOT network, so you can add a higher priority rule that allows the IOT network to initiate a connection to the plex server using only the ports that plex requires to communicate (which will include tcp/32400 by default, and maybe some others, you will need to test)
Do you ever enable in PFsense UPnP for the IOT interface?
I have not had to for any of the devices that I have use, but some may require it.
As soon as I activate the firewall rule I can see the AirPlay devices but not play them anymore. iTunes error something like can not connect. I have the same VLAN structure with UniFi hardware. Does anyone have an idea of what I can do?
Hello chap
What do you use to draw your diagrams? Was looking at Micro$oft Visio but don't want to pay £500+ for it, and Pencil Project seems to be a bit too complicated for what I want to do....
Great video and keep up the great work.
Never Mind. Found it!
@@forrestmcmean2257 Appreciate if u would share app name used to draw diagram. Tnks in advance
Good video! thank you
I tried it on my network and it doesn't work... I will soon give up on trying to make it work.
HI Tom, question for you have been following your videos to setup a Protectli box to learn pfsense and have a question. I would have come across some posts suggesting that logging will destroy the 32GB ssd quickly, is this the case? Also is there a way to setup pfsense to use a second hard drive for /var directoy and the other directories which have a lot of writes so the main m.2 ssd wont take the hits. Would appreciate any feedback you can give thanks for sharing.
That is not really a concern unless you are logging several thousand computers with detailed logging, and even then it would more likely take years. While it is true that SSD can see wear from frequent small writes, it takes years and years before it is an issue.
@@LAWRENCESYSTEMS Hi Tom, thanks for the clearing that up for me, it is appreciated.
Hi Tom, follow up question have been testing over last few days following your videos and some netgate ones as well have set up pia as the wan and was setting up pfblocker and when I added the dns rules to force dns through pfsense dns resolution breaks. I checked the general settings and turned off the dns server override that allows c9nnectikns over the nor al wan but not over over tue pia connection. What am I missing here
Hi Tom just letting you know I solved the issue my linux installation resolv config file wasn't updating and had dns servers not listed in the pfsense dns list hence why dns was being blocked when I turned on the dns firewall rules. So thanks again for your help.
What application is he using to graph his network?
I currently use Draw.io
Any suggestion on doing with Unifi USG?
PC Wizrd there is a Guide for using the USG but I really have issues using the chromecast. Most times it doesn’t work, only sometimes. The USG seems to have a few issues with the mDNS.
How do you get the dark mode on pfSense?
Doesn't work, followed your instructions to the T and my IoT network can still see my trusted network.
Same for me. Wouldn’t it be better to have a dedicated VLan for items like Emby, Sonos, items needing mDns, and the IoT network, with Avahi making the bridge?
In my IoT, devices are not seeing each other. Am I doing it wrong?
Would this also work for Google Home speakers?
It should, but I don't have one to test.
@@LAWRENCESYSTEMS can you test with Sonos One? I tried and it doesn't work :(
Tom, Thanks for the nice video.
I do have a question tho.
On the IoT VLAN you do provide DHCP for the IoT devices, but do you also provide DNS settings in the leases?
Or do all IoT devices have default DNS settings provided of their own?
Because with this one rule on the IoT interface, devices cannot lookup DNS on the PFSense box, so if they don't have their own DNS settings, they will fail to communicate to the outside. I mean, they cannot do DNS lookups, so they fail.
But I will built this at home, this is a great tip for keeping al those creepy IoT fu**ers out of my LAN ;-)
a VLAN still needs DHCP and other services to be allowed in order for it to work.
Can a USG handle this too?
help.ubnt.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network
Minor thing (as you got it right in the device ip config), but AOL has 172.128.0.0/10 - you put 172.168.69.0/24 at the top 🤓 honest mistake - otherwise neat video
Everytime I make a typo the errorists win! ;) Thanks
Lawrence Systems / PC Pickup heh 😃 happy new year (in a little bit)
typo 172.168.69.0/24, should be 172.16.69.0/24
Chris King i assume that you are helping other people understand what I was referring to as it is really obvious to a networking professional like Lawrence and myself :) happy new year Chris
@@InVisDK, my comment is to anyone reading, but no one in particular
I actually want the BOTH for IoT devices. Absolutely NO internet access OR trusted network acces. If it *requires* internet access to function, then i dont need or want it. I want any IoT device on its own, segregated network that doesnt talk to anything else outside of that network. IMO, it has no real, technical need to do so for its basic function.
Audio seems a bit wonky. After a pause, the first couple words are silenced. Forces me to "fill in the blanks" for much of what you're saying. Could be something at my end, but only seems to be happening on this video.
Best solution: Even if you get one dont bother with it. It is most likely an useless gimmick so there is no point wasting time on creating an isolated network for it.
uh-VAH-hee
Three syllables, stress on the second.
Boom. Done.
17 minutes video that could've been under 5 minutes... I mean it was informative and all but compressing information without losing details would certainly help in some cases.
The actual doing section was around 10 min. For most people that dont have any background the theory or the why do this section up front is nice.
There was alot of info here but there shouldnt be many questions after beating it into the ground.
I sometimes just skip to the meat and potatoes on videos. He’s catering to a large subset of people, some of them who are not L3/Sysadmins/DirOfTech/Etc. Some may be squarely L1 techs or single man IT company types.
Another great video, thank you