Yeah it can be confusing when you should use them. Some people like to use only floating firewall rules since they are familiar and prefer zone-based firewall software.
Very informative and timely topic. Did you make a printable version of this? Sometimes you seem to adlib a bit and swing the cursor around and it makes it a bit tough on us beginners to follow. Have you ever thought of makeing a script first, or at least more granular talking points and sticking to them in the video. Not a complaint, just a few suggestions for the newbies in the group. I always learn something in your videos and many times find just what I was looking for topic wise. Thanks again,...
Often times I have a written version on my website but I don’t have one for this one (probably should write it up). Yeah I should probably write a script to make it more polished but I would need a teleprompter if I want to show my face in the videos. It’s one of those slow incremental improvements that I hope to do at some point… just takes a lot of effort even to do simple things so I try to be efficient with the limited time I have. Glad you still learned some things! Thanks for the feedback!
@@homenetworkguy Thanks much for taking the time to read and reply to my comments. I am glad that you took my words for what they were meant to be....just suggestions on how one of your family thinks might help me and others. Having the written and the live video takes a lot of time I'm sure, and we all appriciate all the work and effort you put forth to help us understand so much about whatever you choose as a topic. Having both is really helpful, when you can.
Thanks! Inbound connections are blocked by default by the firewall so you would only want to block incoming connections if you are hosting services publicly on the Internet (of course there are risks with doing that).
I wish there was something regarding groups and the usual rules we set for all the vlans (the allow internet only and DNS from your guide). I wonder if somehow I can levarage groups so the DNS and "Internet only" rule is defined in this one place? I've tried and it may work for Internet access, selecting the group as source and inverted destination. But for DNS, I can't select "Group adress". I wonder if there is way to do it.
One thing to consider is if you create those rules as group rules, you will not be able to apply rules that are specific to individual interfaces/networks that need to execute before the group rules since the group rules are executed before the interface rules (of if you block all private networks in a group rule, on the interface rules you wouldn't be able to allow access to a device on another internal network since it is blocked by the group rule). That's why it's not a good idea to have certain rules at the group or floating rule level. It prevents you from allow specific exceptions on individual interfaces. To me, it's not a huge deal to have those 2 rules on every interface (or most of them) since I only need to set those rules up once and it allows me to easily control access between all of my internal networks. Group rules are helpful for me when I want 2 or more networks to have access to the same set of services (such as my reverse proxy on the DMZ or other apps/services on my network).
I have google fiber 1gb internet at the time I had a google fiber router, I tested waveform bluffer bloat and I have received a grade of C. So I ditched it and now I have opnsense as my router on a pc, my blufferbloat is still a C I am using overkill stuff such as 2.5gb NIC on the router(PC with opnsense-by itself) The computer with opnsense has with i5-10400 (6 cores,12 threads), 12gb of ram, and 256gb of SSD. Any tips to improve my blufferbloat to A? I believe its due to high upload latency Bufferbloat Grade C unloaded:18ms Download active: 19ms Upload Active:133Ms Download:874.8mbps Upload:820.7mbps
I haven't done it myself (since I already throttle my upload bandwidth for offsite backups and rarely saturate my available bandwidth), but to improve buffer bloat, you have to limit the amount of upstream/downstream bandwidth so that it doesn't fully saturate your connection. That requires messing with the traffic shaper configuration. I'm a bit surprised to see you're not getting closer to 920-940 Mbps with the hardware you have since it's pretty powerful. I've saturated 1 Gbps (and even exceeded 1 Gbps) with less powerful hardware. It could just be the speed to that server so it might not be a good indicator of maximum throughput (plus that test is purposely trying to fully saturate your bandwidth to see how well it performs).
I don’t have any traffic shaper guides for OPNsense (yet) but I have seen some guides out there since that is a topic some are very interested in (perhaps search the OPNsense forum). I think it’s interesting but it’s a lower priority for me because it’s not a huge problem on my network and I have so many other topics to cover, haha.
Interesting. Thanks for that info! Sorry for the delayed responses but sometimes my comments get flagged as “held for review” and I forgot to check for those comments because they are filtered out by default.
I feel you should go over switch config BEFORE firewall rules. We cant add devices by IP to access other networks until they receive an IP for that vlan. Also cant assign anything static unless we have the mac written down as anything connected before switch config will automatically join lan/vlan1. I been trying to understand FW rules all day but without having my vlans configured on the switch and SSIDs created on the new AP is making it more difficult. Maybe its just me. Also I do not like the inverted option, Id rather just use a block as its easer for a noob to identify right away even if I have to make another rule. I could be in the minority, everyone thinks differently. The source and destination in your video was driving me crazy as the first rule to block private networks tells me its ALLOWING private networks (unless I'm totally lost) but the inverted checkbox basically tells the rule to do the opposite? Let me know before do something stupid, I also don't seem to have a lockout rule configured at all. Anyways I'm on to your ubiquity video to get devices/appliances sorted by IP and then Ill be back here. hanks for the videos and your participation on reddit. I usually don't comment but I know you'll respond and I really appreciate that man.
Yeah I started with the overarching full network build and after that I started covering specific topics in more detail. There is a certain level of knowledge and experience that has to be assumed when discussing topics in more depth. It’s difficult (and not always feasible) to discuss all possible background information leading up to more complex topics. I do the same thing on my website. I have overarching guides but then dive into different topics in detail. I definitely recommend tackling one topic at a time because what I create videos and written guides on has taken me weeks/months/years to learn. I’m hoping that sharing what I learned can help others get up to speed quicker than I was able to do. I’m still learning as I go. Haha. If firewall rules are overwhelming since you haven’t set up your VLANs, you could just leave everything wide open by having allow all rules on your networks and once you have everything communicating properly and can verify everything is on the appropriate VLANs, then you can start tightening up the rules, one network at a time. When I first started with OPNsense, I had a single flat network. Then I started learning about VLANs so I added some VLANs. Then I figured out how to block access between the VLANs with firewall rules. Then I started learning about configuring the DNS settings. Set up Pi-hole (no longer using it). Then I grew my network and added more VLANs and tweaked the firewall rules more. Then I tried messing with intrusion detection (via Suricata and later Sensei which became Zenarmor). Then I learned how to set up OpenVPN for remote access into my network. Later I switched to WireGuard. At some point I spent a couple of months learning how to configure IPv6 with Comcast using prefix delegation so all my VLANs could get their own IPv6 addresses. Then I learned how to set up a reverse proxy for my internal network and make use of split DNS using Unbound DNS overrides. All this and more has taken place since 2017 when I began the journey with OPNsense and more advanced home networking. I mention this as an example of the progression I made over time. I focused on one thing at a time until I got to where my network is today and I’m always evolving it slowly as my needs change and/or I learn better ways to do things. One thing I would like to mention is if you prefer to use 2 rules instead of a single more concise rule to avoid using the invert destination option, there is nothing wrong with that! You are free to create the rules to meet your needs and the end result is still the same. That is why I showed a few different ways of isolating VLANs (I show that in a different video).
I rewatched part of the video to make sure I didn’t forget to include examples but I had a few examples in the video. If you have the same set of rules you wish to apply to multiple interfaces, consider using firewall groups- it reduces repetition of the same rules across multiple interfaces. If you wish to apply rules across the entire network, floating rules is a good option. I like using it for things such as allowing the iperf3 port on the entire network so I can speed test between all of my internal networks without needing to create rules all the time. You can use them for IP block lists to block malicious IPs across the entire network. I like allowing SSH across all internal networks as well so it works nicely as a floating rule. However floating rules do allow you to select specific interfaces to apply the rules. You can basically achieve the essentially the same thing with floating rules as firewall groups. One benefit of firewall groups is that you get autogenerated aliases for “address” and “net” like you do with other interfaces such as LAN address and LAN net.
Nice. Those floating rules always twisted my brain trying to work out how to set them
Yeah it can be confusing when you should use them. Some people like to use only floating firewall rules since they are familiar and prefer zone-based firewall software.
Another great choice for a video. Very helpful thank you!
Thanks!
Amazing! Thank you!
I look forward to Port Forwarding and Outbound NAT... :-)
Thanks! We’ll see! Haha
Very informative and timely topic. Did you make a printable version of this? Sometimes you seem to adlib a bit and swing the cursor around and it makes it a bit tough on us beginners to follow. Have you ever thought of makeing a script first, or at least more granular talking points and sticking to them in the video. Not a complaint, just a few suggestions for the newbies in the group. I always learn something in your videos and many times find just what I was looking for topic wise. Thanks again,...
Often times I have a written version on my website but I don’t have one for this one (probably should write it up). Yeah I should probably write a script to make it more polished but I would need a teleprompter if I want to show my face in the videos. It’s one of those slow incremental improvements that I hope to do at some point… just takes a lot of effort even to do simple things so I try to be efficient with the limited time I have. Glad you still learned some things! Thanks for the feedback!
@@homenetworkguy Thanks much for taking the time to read and reply to my comments. I am glad that you took my words for what they were meant to be....just suggestions on how one of your family thinks might help me and others.
Having the written and the live video takes a lot of time I'm sure, and we all appriciate all the work and effort you put forth to help us understand so much about whatever you choose as a topic. Having both is really helpful, when you can.
Why did you just do outbound for spamhaus. Why not inbound? Great video by the way
Thanks! Inbound connections are blocked by default by the firewall so you would only want to block incoming connections if you are hosting services publicly on the Internet (of course there are risks with doing that).
I wish there was something regarding groups and the usual rules we set for all the vlans (the allow internet only and DNS from your guide). I wonder if somehow I can levarage groups so the DNS and "Internet only" rule is defined in this one place? I've tried and it may work for Internet access, selecting the group as source and inverted destination. But for DNS, I can't select "Group adress". I wonder if there is way to do it.
One thing to consider is if you create those rules as group rules, you will not be able to apply rules that are specific to individual interfaces/networks that need to execute before the group rules since the group rules are executed before the interface rules (of if you block all private networks in a group rule, on the interface rules you wouldn't be able to allow access to a device on another internal network since it is blocked by the group rule). That's why it's not a good idea to have certain rules at the group or floating rule level. It prevents you from allow specific exceptions on individual interfaces. To me, it's not a huge deal to have those 2 rules on every interface (or most of them) since I only need to set those rules up once and it allows me to easily control access between all of my internal networks. Group rules are helpful for me when I want 2 or more networks to have access to the same set of services (such as my reverse proxy on the DMZ or other apps/services on my network).
@@homenetworkguy That's a very good point I didn't think about, thank you
I have google fiber 1gb internet at the time I had a google fiber router, I tested waveform bluffer bloat and I have received a grade of C.
So I ditched it and now I have opnsense as my router on a pc, my blufferbloat is still a C
I am using overkill stuff such as 2.5gb NIC on the router(PC with opnsense-by itself)
The computer with opnsense has with i5-10400 (6 cores,12 threads), 12gb of ram, and 256gb of SSD.
Any tips to improve my blufferbloat to A?
I believe its due to high upload latency
Bufferbloat Grade C
unloaded:18ms
Download active: 19ms
Upload Active:133Ms
Download:874.8mbps
Upload:820.7mbps
I haven't done it myself (since I already throttle my upload bandwidth for offsite backups and rarely saturate my available bandwidth), but to improve buffer bloat, you have to limit the amount of upstream/downstream bandwidth so that it doesn't fully saturate your connection. That requires messing with the traffic shaper configuration.
I'm a bit surprised to see you're not getting closer to 920-940 Mbps with the hardware you have since it's pretty powerful. I've saturated 1 Gbps (and even exceeded 1 Gbps) with less powerful hardware. It could just be the speed to that server so it might not be a good indicator of maximum throughput (plus that test is purposely trying to fully saturate your bandwidth to see how well it performs).
@@homenetworkguy thank you so much for your response! What do you recommend for me to start with traffic shaper?
I don’t have any traffic shaper guides for OPNsense (yet) but I have seen some guides out there since that is a topic some are very interested in (perhaps search the OPNsense forum). I think it’s interesting but it’s a lower priority for me because it’s not a huge problem on my network and I have so many other topics to cover, haha.
I only use the floating rules for all my policies. The reason being is I like zone based firewalls.
Interesting. Do you have a couple of high level examples of how you implement such rules using floating rules?
Interesting. Thanks for that info! Sorry for the delayed responses but sometimes my comments get flagged as “held for review” and I forgot to check for those comments because they are filtered out by default.
I feel you should go over switch config BEFORE firewall rules. We cant add devices by IP to access other networks until they receive an IP for that vlan. Also cant assign anything static unless we have the mac written down as anything connected before switch config will automatically join lan/vlan1. I been trying to understand FW rules all day but without having my vlans configured on the switch and SSIDs created on the new AP is making it more difficult. Maybe its just me. Also I do not like the inverted option, Id rather just use a block as its easer for a noob to identify right away even if I have to make another rule. I could be in the minority, everyone thinks differently.
The source and destination in your video was driving me crazy as the first rule to block private networks tells me its ALLOWING private networks (unless I'm totally lost) but the inverted checkbox basically tells the rule to do the opposite? Let me know before do something stupid, I also don't seem to have a lockout rule configured at all.
Anyways I'm on to your ubiquity video to get devices/appliances sorted by IP and then Ill be back here. hanks for the videos and your participation on reddit. I usually don't comment but I know you'll respond and I really appreciate that man.
Yeah I started with the overarching full network build and after that I started covering specific topics in more detail. There is a certain level of knowledge and experience that has to be assumed when discussing topics in more depth. It’s difficult (and not always feasible) to discuss all possible background information leading up to more complex topics. I do the same thing on my website. I have overarching guides but then dive into different topics in detail.
I definitely recommend tackling one topic at a time because what I create videos and written guides on has taken me weeks/months/years to learn. I’m hoping that sharing what I learned can help others get up to speed quicker than I was able to do. I’m still learning as I go. Haha.
If firewall rules are overwhelming since you haven’t set up your VLANs, you could just leave everything wide open by having allow all rules on your networks and once you have everything communicating properly and can verify everything is on the appropriate VLANs, then you can start tightening up the rules, one network at a time.
When I first started with OPNsense, I had a single flat network. Then I started learning about VLANs so I added some VLANs. Then I figured out how to block access between the VLANs with firewall rules. Then I started learning about configuring the DNS settings. Set up Pi-hole (no longer using it). Then I grew my network and added more VLANs and tweaked the firewall rules more. Then I tried messing with intrusion detection (via Suricata and later Sensei which became Zenarmor). Then I learned how to set up OpenVPN for remote access into my network. Later I switched to WireGuard. At some point I spent a couple of months learning how to configure IPv6 with Comcast using prefix delegation so all my VLANs could get their own IPv6 addresses. Then I learned how to set up a reverse proxy for my internal network and make use of split DNS using Unbound DNS overrides. All this and more has taken place since 2017 when I began the journey with OPNsense and more advanced home networking. I mention this as an example of the progression I made over time. I focused on one thing at a time until I got to where my network is today and I’m always evolving it slowly as my needs change and/or I learn better ways to do things.
One thing I would like to mention is if you prefer to use 2 rules instead of a single more concise rule to avoid using the invert destination option, there is nothing wrong with that! You are free to create the rules to meet your needs and the end result is still the same. That is why I showed a few different ways of isolating VLANs (I show that in a different video).
First !! and good !!
Thanks!
Clear as mud. You never really made it clear when to use floating vs. group.
I rewatched part of the video to make sure I didn’t forget to include examples but I had a few examples in the video.
If you have the same set of rules you wish to apply to multiple interfaces, consider using firewall groups- it reduces repetition of the same rules across multiple interfaces.
If you wish to apply rules across the entire network, floating rules is a good option. I like using it for things such as allowing the iperf3 port on the entire network so I can speed test between all of my internal networks without needing to create rules all the time. You can use them for IP block lists to block malicious IPs across the entire network. I like allowing SSH across all internal networks as well so it works nicely as a floating rule.
However floating rules do allow you to select specific interfaces to apply the rules. You can basically achieve the essentially the same thing with floating rules as firewall groups.
One benefit of firewall groups is that you get autogenerated aliases for “address” and “net” like you do with other interfaces such as LAN address and LAN net.