Page 1 of 1
pfSense
Posted: Thu Oct 21, 2021 5:21 pm
by MagikMark
Hi Philip and Team!
Do you happen to have tips and tweak for pfSense?
What would be a good set up? Which ports do I have to keep open under "small office home office condition"?
I don't do torrenting but I do lots of multi threaded https download on large files using Internet download manager.
I also do a lot of streaming from different sites.
We use wireguard and open connect in our client side as well
Thanks
Posted: Fri Oct 22, 2021 8:14 am
by Philip
Hi Mark,
It depends on the number of users pretty much, and how capable the appliance is to run all of the pfsense features. If the device does not have a fast CPU and plenty of RAM (or if you don't have many users at the same time) I would turn off some of the more fancy features like QoS.
I would try without opening any ports, https transfers should be going through the standard port 443 and some temporary high ports that you don't need to keep open. If some software you use requires running a server on your end that's where you have to start opening ports usually.
Posted: Sun Oct 24, 2021 7:48 pm
by MagikMark
Hey Philip
This is my set up:
https://www.gigabyte.com/Motherboard/B4 ... -rev-10#kf
16GB RAM
128GB SSD
I have QOS and suricata running
I have modified the Turn tables to match tcp optimizer's
Under Windows 10 OS which ports are needed to be open
Posted: Mon Oct 25, 2021 8:00 am
by Philip
Hardware will not be a limitation with that setup, if anything it might be an overkill for a soho setup - you can run whatever services you want pretty much.
You only need to open ports if you are running servers and need to connect to your network from a remote location (Remote Desktop, VNC server, SSH, etc.) Otherwise, for most outgoing connections the ports should be dynamically allocated and you don't have to open them at the firewall.
Posted: Mon Oct 25, 2021 5:19 pm
by MagikMark
Thanks Philip
Posted: Sat Nov 13, 2021 10:05 pm
by MagikMark
Philip would you agree on the ff default settings in pfsense:
TCP First 3600
TCP Opening 900
TCP Established 432000
TCP Closing 3600
TCP FIN Wait 600
TCP Closed 180
TCP Tsdiff 60
UDP First 300
UDP Single 150
UDP Multiple 900
ICMP First 20
ICMP Error 10
Other First 60
Other Single 30
Other Multiple 60
Posted: Sun Nov 14, 2021 9:10 am
by Philip
I do not use pfSense, but I think that list refers to the amount of time those different protocol states remain open before timing out.
All those timeouts seem to be a bit too long/conservative for my taste (assuming they are in seconds)... I would definitely shorten the TCP ones... Something like:
TCP First 120
TCP Opening 60
TCP Established 86400
TCP Closing 600
TCP FIN Wait 45
TCP Closed 90
TCP Tsdiff 30
Otherwise, it will keep all those connections open too long, consuming memory and resources unnecessarily.
Posted: Tue Nov 23, 2021 4:30 pm
by MagikMark
Philip,
Just a confirmation on ports. I will just open ports that are needed by my machine. How about the Dynamically assigned ports? Do I have to open some of them or totally block all of them? If so, which port range is best kept open?
Posted: Tue Nov 23, 2021 7:53 pm
by Philip
In general, it is safe to close all inbound ports unless you are running some type of server application that needs people to connect to you.
Blocking new incoming connections is safe.
When your local devices reach out onto the internet, they establish a connection with a remote server and the firewall generally knows to allow incoming traffic back to that device on certain ports. If some application/game has an issue with that, you may have to read into what ports it requires open/forwarded and adjust (port-forward) accordingly.