Editing Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software (section)

== Step 1: Understanding the problem. Why do this? ==

Let’s say there’s a device on your network you don’t trust. You want to use it, but you don’t trust it. Exhibit A, a Chinese security camera. Hikvision makes good, cheap cameras; but my government tells me I shouldn’t trust them, and I [https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat listen to &amp; believe everything that my government tells me].

I will want to limit its access to the internet, and other machines. Let’s say it connects via wifi.

You can block it from connecting to the internet by its IP - but what if it tries to change its IP? You could create a static mapping in pfSense based on its MAC address, but what if it spoofs its MAC address? If this device were truly malicious, it could do the following:

* Spoof its MAC address to get around a static mapping
* Try to connect using every single IP address
* See if it eventually finds an IP address in that subnet that allows it to go online &amp; connect to other networks/devices
* Upload audio recordings of you saying you had a celebrity crush on Sabrina Carpenter, or that you cry listening to Tori Amos’ Baker Baker. Where’d your reputation be then?

If you want to be more stringent with this - if you genuinely believe your refridgerator is out to get you by recording your intimate moments &amp; blackmailing you with them(it’s probably not), we can make a separate network for them.

We’ll create two separate networks:

* '''Main Network''': <code>192.168.5.0/24</code> for trusted devices ''(we’ve already created this)''
* '''Guest Network''': <code>192.168.7.0/24</code> for untrusted devices ''(needs to be created)''

<blockquote>'''Note''': This is not a normal wifi access point. it is an enterprise level device that allows seamless switching between multiple access points, so that if you have a giant area you never lose your connection or connection strength. The downside is that this isn’t as simple as a standard wifi router, this isn’t your linksys wrt54g from 2005 you configure by typing <code>192.168.1.1</code> and typing in <code>admin</code> for the user &amp; password. You need to install controller software to use it; and it’s worth it. These access points like the eap610 can be found used on ebay in liquidation sales for $45, which is cheaper than a lot of wifi routers.
</blockquote>
Our LAN subnet, where our servers &amp; computers connect to, is <code>192.168.5.0/24</code> meaning that clients connecting here can grab from <code>192.168.5.2</code> to <code>192.168.5.254</code> - <code>192.168.5.1</code> is taken by the router.

Our OpenVPN subnet that we connect to when we use our VPN is <code>192.168.6.0/24</code>meaning that clients that connect here can grab from <code>192.168.6.2</code> to <code>192.168.6.254</code> - <code>192.168.6.1</code> is taken by the VPN gateway.

Here we’re going to create <code>192.168.8.0/24</code> as another subnet.

If you’re trusted wifi, you get to connect to the <code>192.168.5.0/24</code> network. If you are connecting to the untrusted wifi, you get to connect to the <code>192.168.7.0/24</code> untrusted network.

When we set up OpenVPN, pfSense created a firewall rule automatically that allowed the VPN subnet of <code>192.168.6.0/24</code> to connect to everything. We will do the opposite for this network. We can create a rule that blocks all traffic TO and FROM the <code>192.168.7.0/24</code> network. Then, we can create specific allow rules for the very specific devices we want it to connect to. If it’s a thermostat, we allow it a connection to &amp; from to <code>192.168.5.4</code>, our home assistant machine. If it is a camera, we allow it a connection to &amp; from <code>192.168.5.2</code>, our frigate machine.

It doesn’t matter if the device spoofs its MAC address to get around a static mapping at this point. It doesn’t matter if it tries to grab every single IP address on the subnet - because NOTHING on <code>192.168.7.0/24</code> is allowed to connect to anything anyway. So, it’s stuck.

This is more “secure” if your threat model includes a thermostat with a hidden microphone in it connected to your wifi, that might want to get around being blocked from phoning home.

# Can’t access your main network
# Can’t see your devices
# Can still access the internet

This is what VLANs are for. We’ll create two completely separate networks:

* Main Network (192.168.5.0/24): For your trusted devices
* Guest Network (192.168.7.0/24): For everyone else

<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113190058398.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113190156285.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113190459933.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113190855998.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113190925796.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113190952807.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113191027630.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113191045988.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113191714961.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113192027212.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113191736911.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113191815241.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113192136101.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113192201701.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:image-20241113192215825.png
</gallery>

</div>
<span id="step-2-pfsense-configuration-guide-for-trusted-untrusted-networks"></span>