myFirewall Installation

sg 1000 back vented    myFirewall4

Network Security - myFirewall

myServer must be installed behind a secure firewall with the proper ports forwarded to the Internet (for remote connection) and with port reflection. Not all routers can be configured this way. Worse, you setup your Internet provider's modem and they reflash it loosing all of your settings that can take hours to reset (not to mention your system goes down).

Allonis properly configures a quality, yet inexpensive gateway that should work plug and play and is designed for reliability.

We support two models:  myFirewall2 (has two ports:  WAN and LAN) and myFirewall4 (WAN / LAN1 / LAN2 / LAN3).  The four port model enables next level security like putting all automation and security systems on a secure network, allowing all clients on the private network to communicate to the devices, and a Guest network that only has access to the Internet (no Intranet access).

Here is how it would be installed:

Internet<<<>>>your Internet service provider <<<>>>your Internet service providers modem / router (setup in Bridge Mode) <<<>>>myFirewall (configured by Allonis)<<<>>>myServer and rest of Intranet network devices

Optionally, Allonis can log into myFirewall and custom configure it for your exact requirements.  Please contact Allonis if you need a special setup.

myFirewall Product Description

The new Allonis myFirewall series is a cost-effective, state-of-the-art, pfSense® Security Gateway appliances. The myFirewall comes with either dual or quad 1Gbps Ethernet ports, enabling maximum throughput exceeding 300Mbps. The processor and ram provided combine to facilitate low-power consumption while maintaining performance. myFirewall comes in a lightweight and durable anodized aluminum case.

myFirewall is an inexpensive platform, purpose-built to run pfSense software and can be deployed in many environments: Multi-dwelling units (MDU) such as apartments and dorm rooms, commercial-control applications (SCADA), as well as more traditional small office, home office deployments, or anywhere that security is needed. myFirewall is also the ideal security gateway for the Internet of Things (IoT). IoT applications include many remote monitoring applications for smart home/smart cities, commercial automation, energy management, agricultural, and health care. All of these can be deployed with best-in-class network security, safeguarding network connected devices. myFirewall is a cost-effective solution to protect devices on your network at the point of connection.

myFirewall is better than a build-it-yourself firewall solution. Attempting to DIY on something as important as protecting your network can be a risky, time consuming, and expensive process. Get the power and flexibility of pfSense software, the world’s most popular open-source firewall, as a pre-integrated appliance that is robust and ready to go out of the box, all at a low price.

  • Stateful packet filtering firewall or pure router
  • Routing policy per gateway and per-rule for failover and load balancing
  • Transparent layer 2 firewall
  • Support for IPV6, NAT, BGP
  • Captive portal with MAC filtering, RADIUS support, etc
  • VPN: IPsec, OpenVPN, L2TP
  • Dynamic DNS client
  • Reporting and monitoring features with real time information

myFirewall2 

Price $199.99

myFirewall4

Price $579.99

myFirewall2 ships with:

IP: 192.168.1.201

Username / password: admin/pfsense

To enable Split DNS, first get a NoIP public DNS name setup and log into the myFirewall.  Services / DNS Resolver.

Modify in the Hosts Override fields the myserver and the allonis.local to your NoIP DNS name (or your registered DNS name) and click Save.  This must match your myServer DNS name

In myServer Network properties, type your NoIP DNS name in the DNS field.

Restart myServer for the setting changes to take effect.

myFirewall Installation Help

To help you organize your network, here is an Addressing Example:

  • Gateway(FW/Router)=192.168.x.201 (or 200, 202, 203, 204 - 209)
  • myServer=Static 192.168.x.210
  • Printers=192.168.x.220 - 229
  • Security=192.168.x.100 - 192.168.x.109
  • Audio=192.168.x.110 - 192.168.x.129
  • Video=192.168.x.130 - 192.168.x.149
  • Lighting Control Systems=192.168.x.150 - 192.168.x.159
  • Climate Control Systems=192.168.x.160 - 192.168.x.169
  • ClientPCs=192.168.x.170 - 192.168.x.199
  • Other=192.168.x.200 - 192.168.x.219

Interfaces:
WAN=Connection to Internet
LAN1=General Purpose
LAN2=Home Automation/Secure Systems - secure internal network. Note: Firewall rules must control access! 
LAN3=Other (Guest Network, etc)

WAN= DHCP, DHCP6
LAN1=Static 192.168.0.200 Subnet 192.168.0.x 255.255.255.0 DHCP Scope=192.168.0.3-192.168.1.99 
LAN2=Static 192.168.2.200 Subnet 192.168.2.x 255.255.255.0 DHCP Scope=192.168.2.3-192.168.2.99
LAN3=Static 192.168.3.200 Subnet 192.168.3.x 255.255.255.0 DHCP Scope=192.168.3.3-192.168.3.99

Note: 192.1.x.1-2 are reserved for devices that boot on that IP by default.  This prevents the DHCP server from providing those IPs, and then when you plug in a default device, there will be an IP conflict.

FW Rules:
WAN Interface:
Port Forward/NAT WAN Address TCP 6245 to myServer TCP 80
Port Forward/NAT WAN Address TCP 6246 to myServer TCP 6246
Port Forward/NAT WAN Address TCP 8181 to myServer TCP 8181

Port 3342 must not be blocked from myServer to the Internet.  This port is used for web services like Alexa.  By default, most all routers permit this traffic.

 

LAN1 Interface:
Allow protocol IPV4 TCP/UDP ANY to ANY excluding LAN2 subnet

LAN2 Interface:
Allow protocol IPV4 TCP/UDP ANY to ANY

LAN3 Interface:
Allow protocol IPV4 TCP/UDP ANY to ANY excluding LAN2 (or as needed per requirements for LAN3)

DynDNS (Dynamic DNS) Registration:
{username}.ddns.net
Allonis myUI for tablets http://{username}.ddns.net:6245/myui.tablets/index.html
Allonis myUI for phones http://{username}.ddns.net:6245/myui.phones/index.html

As myFirewall is configured with "Split DNS", the user always uses the same URL (including the port) when both inside and outside of the network.  Split DNS routes the request when originating from within the Intranet directly to the myServer PC for immediate response.  As FYI, the alternative strategy of using "Port Reflection" routes the request outside of the Intranet for resolution which then points back to myServer.  This takes a bit longer to process.

WiFi:
WiFi can be configured with a Guest mode so no WiFi device on that network can connect to the Elk (as example)
Example of a SSID for Guest:  myHome2_Guest or myHome5_Guest (2.4 vs. 5 ghz connection speeds)
Seems the new Google WiFi (GWF) can't be in Bridge mode and also do their magic of mesh networking on the WiFi side.  So, by default the Google WiFi will have it's own DHCP server turned on and create another network domain of it's own for the WiFi clients.  You can have myFirewall manage these clients, but you would then turn on Bridge Mode on GWF which the downside is GWF's WiFi mesh networking would then not function.  But, the LAN would work just fine as long as you have enough wired GWF (or other) WiFi access points.
 

Installation Steps

Step 1) Change network configuration in existing myServer to Tools / Options / Network tab.  Change myServer DNS name to "{username}.ddns.net" (as example).  Web server TCP/IP port to 6245 and WebSockets TCP to 8181.

Step 2) Restart myServer for these new settings to take effect

Step 3) Reconfigure myServer PC IP to Static IP: 192.168.0.210 / Gateway: 192.168.0.201 / DNS Server: 192.168.0.201.  Note that once you commit these changes, you won't be able to communicate to this PC until after the rest of network is configured and reconnected.

Step 4) Put the Internet modem or cable box into Bridge Mode (see your modem's instructions for how to do this - see appendix below).  Restart this modem.  Note you will loose Internet connectivity once you have done this.  Make sure you know how to reset your modem back to the way it was if for some reason you need help from the Internet (like from Allonis).  Make sure you know what your Internet service provider's login credentials (write them down).

Step 5) Rewire like this: 

  • Internet feed to Cable / DSL modem.  Modem LAN connection to myFirewall WAN connection
  • myFirewall LAN1 connection to existing hardwired LAN (192.168.0.x)
  • myFirewall LAN2 and LAN3 won't be connected to anything.

Step 6) Power up the myFirewall.  It is always best to plug the myFirewall transformer into a UPS / Generator supply to ensure network up time in event of power outage.

Step 7) From the Intranet (LAN1), make sure you have a PC client setup DHCP.  It will get it's address from myFirewall.

Step 8) From the PC client, in a Chrome or Safari browser, go to:  https://192.168.0.201 You will see a "Certificate is Invalid" message.  Ignore the messages and continue to Accept.   Log in with admin / allonis.  You should now see the Dashboard of the myFirewall.  You can manage all of the settings from here.  Allonis has pre-set most of the important settings.

Step 9) Test your network:  From the PC client, open a DOS window and issue:  ping 192.168.0.210    hit the Enter key.  You should immediately see responses back from the myServer PC.

Step 10) Test myServer:  From the PC client open a Chrome or Safari browser and go to:  http://{username}.ddns.net:6245/myUI.Tablets/index.html  (as example)  You should see either a login screen or your home page (depends on how you have configured myServer).  If soon all of your images load, then you are done!!

Optional Step 11) If you have the myFirewall4, this is setup so you can move myServer, your security panel etc to the LAN2.  This will put those devices on 192.168.2.X network.  myServer will be 192.168.2.210.  myFirewall4 is configured to pass only web data from LAN1 to LAN2 to keep LAN2 more secure.

Optional Step 12) myFirewall4 is also setup with a LAN3, this is intended so you can create a Guest network.  This port will only allow traffic to the Internet, and not to LAN1 or LAN2.

As the myFirewall will be responsible for all packet routing, the Internet provider's cable / DSL modem should be put into Bridge Mode.  This allows all packets to be bidirectionally past through the modem.

Appendix

How do I enable bridge mode?

The best solution to double NAT is enabling bridge mode on your modem/router combo.

Log into your router or modem/router combo and find its settings to enable bridge mode. To access your router’s settings, you might have to open an internet browser, and enter your router’s IP address in the address bar. Like this:

Details vary depending on the device. Many ISPs and manufacturers provide instructions on how to do this:

 
 

For the following modems:

  • VersaLink 7500 gateway
  • VersaLink 327W gateway
  • Actiontec 704WG gateway
  • Westell 6100 modem

Visit: http://www.verizon.com/support/residential/internet/highspeed/networking/setup/questionsone/123765.htm

For the Actiontec GT704WG modem, visit: http://www.verizon.com/support/residential/internet/highspeedinternet/networking/setup/actiontec704wg/123754.htm

For the Actiontec MI424WR, visit: http://support.actiontec.com/doc_files/Configure_MI424WR_as_a_LAN_MoCA_Bridge.pdf 

 

For Comcast Home users, follow the instructions in this help article: Enable or Disable Bridge Mode on a Wireless Gateway.

For Comcast Business users, contact Comcast Business support and ask them to set your modem to "Passthrough" or "Bridge" mode.