Mastering pfSense Firewall Configuration: A Comprehensive Step-by-Step Guide

Introducing pfSense—an open-source firewall and routing software revered for its robust security and adaptability. Developed by Netgate, pfSense surpasses traditional firewalls, catering comprehensively to network administrators and IT pros. Its open-source nature ensures continuous development, adapting to evolving cybersecurity needs. From small home setups to vast enterprises, pfSense scales seamlessly to diverse hardware and performance requirements. Its user-friendly interface simplifies configuration while robust security features fortify networks. Join us in this blog to explore the pfSense firewall’s configuration.

Key Features of pfSense

  • It supports multiple network interfaces and VLANs, allowing you to create different network segments and isolate traffic.
  • It offers a web-based graphical user interface (GUI) for easy configuration and management, as well as a command-line interface (CLI) for advanced users.
  • It provides advanced firewall, routing, NAT, VPN, and traffic shaping capabilities, giving you granular control over your network traffic and security policies.
  • It supports various packages and plugins for additional functionality, such as intrusion detection and prevention, web filtering, load balancing, monitoring, and more.

How to Configure pfSense Firewall Configuration

After you have installed pfSense on your device, you need to perform some initial pfSense firewall configuration to make it functional and secure. You can do this by using the setup wizard that will guide you through the basic settings. Follow these steps to complete the initial configuration:

  1. Connect your client computer to the LAN interface of your pfSense device using an Ethernet cable. You can also connect to the WAN interface if you have a DHCP server on your network.
  2. Open a web browser on your client computer and enter the default IP address of your pfSense device, which is 192.168.1.1. You will see a login page asking for the username and password.
  3. Now log in using the username “admin” and the password “pfsense”. You will see a dashboard showing the status of your pfSense device.
  4. Click on the Next button at the bottom right corner of the dashboard to start the setup wizard. You will see a welcome page with some information about pfSense.
  5. Click on the Next button again to proceed to the general settings page. Here, you can configure some basic settings such as:
    • Hostname: The name of your pfSense device, such as pfsense.localdomain
    • Domain: The domain name of your network, such as localdomain
    • Primary DNS Server: Your Primary DNS Server’s IP address is probably 8.8.8.8
    • Secondary DNS Server: Your Secondary DNS Server’s IP address is probably 8.8.4.4
    • Time Server: The hostname or IP address of the time server for your network, such as pool.ntp.org
    • Timezone: The timezone of your location, such as Africa/Cairo
  6. Then, go to the WAN interface settings page by clicking Next.
  7. Click Next, then proceed to the LAN interface settings page.
  8. Click on the Next button to proceed to the password settings page. Here, you can change the default password for the admin user account, which is highly recommended for security reasons.
  9. Click on the Next button to proceed to the reload settings page. Here, you can review and apply the changes that you have made during the setup wizard.
  10. Click on the Reload button to save and apply the changes. Your pfSense device will reboot and reload with the new configuration.

pfSense Firewall Rules

PFsense firewall

Firewall rules are one of the most important features of pfSense, as they allow you to control and filter the traffic that passes through your network interfaces. pfSense Firewall rules are based on criteria such as source, destination, protocol, port, and action. You can create firewall rules for each interface separately or for all interfaces at once using floating rules.

Follow These Steps to Create Firewall Rules in pfSense

  1. Log in to the pfSense web-based GUI using your username and password.
  2. Navigate to Firewall > Rules from the top menu bar.
  3. Select the interface that you want to create firewall rules for from the tabs below the menu bar. For example, if you want to create firewall rules for the LAN interface, select the LAN tab.
  4. To add a new firewall rule, click Add. You will see a form with various fields and options to configure your firewall rule.
  5. Fill in the fields and options according to your needs and preferences.
  6. Click Save to save your firewall rule.
  7. Finally, click on Apply Changes.

Examples of Common pfSense Firewall Rules

Examples of common firewall rule configurations:

  1. Allow all traffic from LAN to WAN: This is the default firewall rule for the LAN interface, which allows any device on your local network to access the internet. To create this rule, you need to set the following fields and options:
    • Action: Pass
    • Interface: LAN
    • Address Family: IPv4+IPv6
    • Protocol: Any
    • Source: Any
    • Destination: Any
  2. Block all traffic from WAN to LAN: This is a common firewall rule for the WAN interface, which blocks any incoming traffic from the internet to your local network. To create this rule, you need to set the following fields and options:
    • Action: Block
    • Interface: WAN
    • Address Family: IPv4+IPv6
    • Protocol: Any
    • Source: Any
    • Destination: LAN net
  3. Allow ping from LAN to WAN: This is a useful firewall rule for troubleshooting purposes, which allows you to ping any host on the internet from your local network. To create this rule, you need to set the following fields and options:
    • Action: Pass
    • Interface: LAN
    • Address Family: IPv4+IPv6
    • Protocol: ICMP
    • Source: Any
    • Destination: Any

NAT (Network Address Translation)

PFsense firewall

NAT is a technique that allows multiple devices on a private network to share a single public IP address when accessing the internet. NAT helps to conserve the limited IPv4 address space, improve network security, and reduce routing complexity. pfSense supports various types of NAT, such as:

  • Source NAT: This is the most common type of NAT, which translates the source IP address and port of outgoing packets from the private network to the public IP address and port of the pfSense device. This allows multiple devices on the private network to access the internet using the same public IP address.
  • Destination NAT: This is the opposite of source NAT, which translates the destination IP address and port of incoming packets from the internet to the private IP address and port of a device on the private network. This allows a device on the private network to be accessible from the internet using a public IP address and port.
  • Port Forwarding: This is a special case of destination NAT, which forwards incoming packets from a specific port on the public IP address to a specific port on a device on the private network. This allows a service or application on a device on the private network to be accessible from the internet using a specific port.
  • 1:1 NAT: This is a type of NAT that maps one public IP address to one private IP address without changing the port number. This allows a device on the private network to have its own public IP address and be fully accessible from the internet.

Setting Up NAT Rules in pfSense

  1. Log in to the pfSense web-based GUI using your username and password.
  2. Navigate to Firewall > NAT from the top menu bar.
  3. Select the type of NAT that you want to configure from the tabs below the menu bar. For example, if you want to configure port forwarding, select the Port Forward tab.
  4. Click on the Add button at the bottom of the rules table to add a new NAT rule. You will see a form with various fields and options to configure your NAT rule.
  5. Fill in the fields and options according to your needs and preferences, such as:
    • Disabled: The option to disable or enable the rule
    • Interface: The interface that receives incoming packets for this rule, which is usually WAN
    • Protocol: The protocol that this rule applies to, such as TCP, UDP, or Any
    • Destination: The destination of incoming packets for this rule, which is usually the WAN address
    • Destination Port Range: The port or port range that incoming packets for this rule must match, such as HTTP (80) or Custom
    • Redirect Target IP: The IP address of the device on the private network that this rule forwards packets to, such as 192.168.1.100
    • Redirect Target Port: The port or port range that this rule forwards packets to, which is usually the same as the destination port range.
    • Description: The description of the rule for your reference
  6. Click on the Save button at the bottom of the form to save your NAT rule.
  7. Click on the Apply Changes button at the top of the rules table to apply your NAT rule.

Here Are Some Examples of Common NAT Rule Configurations

  1. Port forward HTTP traffic from WAN to LAN: This is a common port forwarding rule that allows web servers on your LAN to be accessible from the internet using HTTP protocol. To create this rule, you need to set the following fields and options:
    • Interface: WAN
    • Protocol: TCP
    • Destination: WAN address
    • Destination Port Range: HTTP (80)
    • Redirect Target IP: The IP address of your web server on LAN, such as 192.168.1.100
    • Redirect Target Port: HTTP (80)
  2. 1:1 NAT for LAN device: This is a common 1:1 NAT rule that assigns a public IP address to a device on your LAN, such as a server or a camera. To create this rule, you need to set the following fields and options:
    • Interface: WAN
    • External Subnet IP: The public IP address that you want to map to your LAN device, such as 203.0.113.100
    • Internal IP: The IP address of your LAN device, such as 192.168.1.100

Following the above steps will help you configure the Pfsense firewall easily, essentially making you the administrator of the firewall.