Results 1 to 9 of 9

Thread: pfSense

  1. #1

    pfSense

    Hi Philip and Team!

    Do you happen to have tips and tweak for pfSense?

    What would be a good set up? Which ports do I have to keep open under "small office home office condition"?

    I don't do torrenting but I do lots of multi threaded https download on large files using Internet download manager.
    I also do a lot of streaming from different sites.
    We use wireguard and open connect in our client side as well

    Thanks

  2. #2
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida
    Posts
    11,146
    Blog Entries
    6
    Hi Mark,

    It depends on the number of users pretty much, and how capable the appliance is to run all of the pfsense features. If the device does not have a fast CPU and plenty of RAM (or if you don't have many users at the same time) I would turn off some of the more fancy features like QoS.

    I would try without opening any ports, https transfers should be going through the standard port 443 and some temporary high ports that you don't need to keep open. If some software you use requires running a server on your end that's where you have to start opening ports usually.

  3. #3
    Hey Philip

    This is my set up:
    https://www.gigabyte.com/Motherboard...WIFI-rev-10#kf
    16GB RAM
    128GB SSD

    I have QOS and suricata running

    I have modified the Turn tables to match tcp optimizer's

    Under Windows 10 OS which ports are needed to be open

  4. #4
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida
    Posts
    11,146
    Blog Entries
    6
    Hardware will not be a limitation with that setup, if anything it might be an overkill for a soho setup - you can run whatever services you want pretty much.

    You only need to open ports if you are running servers and need to connect to your network from a remote location (Remote Desktop, VNC server, SSH, etc.) Otherwise, for most outgoing connections the ports should be dynamically allocated and you don't have to open them at the firewall.
    Linux is user friendly, it's just picky about its friends...
    Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits).
    ๑۩۞۩๑

  5. #5
    Thanks Philip

  6. #6
    Philip would you agree on the ff default settings in pfsense:

    TCP First 3600
    TCP Opening 900
    TCP Established 432000
    TCP Closing 3600
    TCP FIN Wait 600
    TCP Closed 180
    TCP Tsdiff 60
    UDP First 300
    UDP Single 150
    UDP Multiple 900
    ICMP First 20
    ICMP Error 10
    Other First 60
    Other Single 30
    Other Multiple 60

  7. #7
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida
    Posts
    11,146
    Blog Entries
    6
    I do not use pfSense, but I think that list refers to the amount of time those different protocol states remain open before timing out.

    All those timeouts seem to be a bit too long/conservative for my taste (assuming they are in seconds)... I would definitely shorten the TCP ones... Something like:

    TCP First 120
    TCP Opening 60
    TCP Established 86400
    TCP Closing 600
    TCP FIN Wait 45
    TCP Closed 90
    TCP Tsdiff 30


    Otherwise, it will keep all those connections open too long, consuming memory and resources unnecessarily.
    Linux is user friendly, it's just picky about its friends...
    Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits).
    ๑۩۞۩๑

  8. #8
    Philip,

    Just a confirmation on ports. I will just open ports that are needed by my machine. How about the Dynamically assigned ports? Do I have to open some of them or totally block all of them? If so, which port range is best kept open?

  9. #9
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida
    Posts
    11,146
    Blog Entries
    6
    In general, it is safe to close all inbound ports unless you are running some type of server application that needs people to connect to you.
    Blocking new incoming connections is safe.

    When your local devices reach out onto the internet, they establish a connection with a remote server and the firewall generally knows to allow incoming traffic back to that device on certain ports. If some application/game has an issue with that, you may have to read into what ports it requires open/forwarded and adjust (port-forward) accordingly.

Similar Threads

  1. Will pfsense router sg-2100 impede gaming experience?
    By empleat in forum Wireless Networks & Routers
    Replies: 4
    Last Post: 03-26-21, 11:33 AM
  2. PfSense and Squidguard
    By loop2kil in forum Wireless Networks & Routers
    Replies: 2
    Last Post: 06-20-10, 06:31 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •