====== PFSense - Install pfSense - Create Firewall Aliases ======
Create a few aliases which we will use in the creation of the firewall rules later.
These simplify the job of making changes in future especially as we add more interfaces and functionality to our network.
----
===== Define Alias for Local Subnets =====
Create an alias to define the internal subnet we are using.
Navigate to **Firewall -> Aliases -> IP**.
Click **Add**.
* Name: **LOCAL_SUBNETS**.
* Description: **local subnets**
* Type: **Networks**.
* Network: **192.168.0.0**.
* CIDR: **16**.
* Comment: **LAN (192.168.0.0 - 192.168.255.255)**.
Click **Save**.
**NOTE:** Other local subnets could also be included if they are used such as:
* 10.0.0.0/8
* 172.16.0.0/12
----
===== Define Alias for Printers =====
Create an alias to define the printers we are using.
Navigate to **Firewall -> Aliases -> IP**.
Click **Add**.
* Name: **PRINTERS**.
* Description: **local subnets**
* Type: **Host(s)**.
* Network: **192.168.1.100**.
* Comment: **HP Officejet Pro 8620**.
Click **Save**.
**NOTE:** This alias will be used in firewall rules to grant users of other VLANs access to the Printers:
----
The other aliases below here still need to be worked out properly, so ignore for now.
----
===== Define Alias for Ubiquiti =====
Navigate to **Firewall -> Aliases -> Ports**.
Click **Add**.
* Name = **Ubiquiti_TCP**.
* Description = Ubiquiti Ports TCP (Internal Only).
* Type: **Ports**.
* Ports(s):
* 8080 : Device and controller communication.
* 8443 : Controller GUI/API as seen in a web browser.
* 8843 : HTTPS portal redirection.
* 8880 : HTTP portal redirection.
Click **Save**.
----
Click **Add**.
* Name = **Ubiquiti__UDP**.
* Description = Ubiquiti Ports UDP (Internal Only).
* Type: **Ports**.
* Ports(s):
* 1900 : "Make controller discoverable on L2 network" in controller settings.
* 3478 : STUN.
* 5514 : Remote Syslog Capture.
* 10001 : Device discovery. UBNT Broadcast.
Click **Save**.
----
===== Define Alias for Plex =====
Navigate to **Firewall -> Aliases -> Ports**.
Click **Add**.
* Name = **Plex_Ports_TCP**.
* Description = Plex Ports TCP (Internal Only).
* Type: **Ports**.
* Ports(s):
* 3005 : Plex Home Theater via Plex Companion.
* 8324 : Plex for Roku via Plex Companion.
* 32400 : Plex Media Server.
* 32469 : Plex DLNA Server.
Click **Save**.
----
Click **Add**.
* Name = **Plex_Ports_UDP**.
* Description = Plex Ports UDP (Internal Only).
* Type: **Ports**.
* Ports(s):
* 1900 : Plex DLNA Server
* 5353 : Bonjour/Avahi network discovery.
* 32410, 32412:32414 : GDM network discovery
Click **Save**.
----
===== Define Alias for Chromecast Ports =====
Navigate to **Firewall -> Aliases -> Ports**.
Click **Add**.
* Name: **Chromecast_Ports_TCP**.
* Description: Chromecast_Ports_TCP.
* Type: **Ports**.
* Ports(s):
* 8008, 8009 : Chromecast Ports.
* 8443 : Required for the Google Home app on Android.
----
Click **Add**.
* Name: **Chromecast_Ports_UDP**.
* Description: Chromecast_Ports_UDP.
* Type: **Ports**.
* Ports(s):
* 1900 : SSDP.
* 5353 : Bonjour services/discovery.
* 5556, 5558 : Videostream Ports.
* 32768:61000 : Chromecast Ports.
* Allow both TCP ports 8008 and 8009 outbound to the Chromecast device.
* Allow high UDP ports both incoming and outgoing. "High ports" are the local ports usually ranging 32768-61000.
* Allow the special SSDP packets outbound (which is UDP traffic to the multicast IP 239.255.255.250, destination port 1900) which is used to check for other Google devices in the same network. Google devices reply with the Source IP to this packet.
See: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
See: https://help.ui.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network
----
===== Define Alias for FTPes Ports =====
Navigate to **Firewall -> Aliases -> Ports**.
Click **Add**.
* Name = **FTPes_Ports**.
* Description = FTPes_Ports.
* Type: **Ports**.
* Ports(s):
* 55000:55005 : FTPes Ports.
----
===== Define Alias for Other Ports allowed to communicate between internal subnets =====
Create a list of ports to define what traffic is permitted to traverse between local subnets.
Navigate to **Firewall -> Aliases -> Ports**.
Click **Add**.
* Name = **Allowed_OUT_Ports_LAN**.
* Description: **Allowed LAN Ports**.
* Type: **Ports**.
* Ports(s):
* 21 : FTP
* 22 : SSH
* 53 : DNS
* 80 : HTTP
* 123 : NTP
* 161 : SNMP
* 427 : SLP (Printer scanner)
* 443 : HTTPS
* 515 : LPD (Printer)
* 631 : IPP (Printer)
* 853 : DNS TLS
* 3389 : Remote desktop
* 5001 : iPerf
* 5353:5354 : MDNS
* 5900 : IPMI
* 9000 : VNC
* 49152:65535 : Ephemeral ports
Click **Save**.
**NOTE:** You will need to amend this alias as per your own networks requirements, but this should get you started.
To better understand what needs you have, enable firewall logging and review the firewall logs which will illustrate which ports are being used or blocked.
----
===== Define Alias for Ports allowed to access the internet =====
Navigate to **Firewall -> Aliases -> Ports**.
Click **Add**.
* Name = **Allowed_OUT_Ports_WAN**.
* Description: **Allowed WAN Ports**.
* Type: **Ports**.
* Ports(s):
* 21 : FTP
* 22 : SSH
* 53 : DNS
* 80 : HTTP
* 119 : NNTP
* 143 : IMAP
* 443 : HTTPS
* 465 : SMTPS
* 587 : SMTPS
* 993 : IMAPS
* 5222 : XMPP
* 6667 : IRC
* 6697 : IRCS
* 8080 : HTTP Alt
* 8443 : CalDAV
* 8843 : CardDAV
* 49152:65535 : Ephemeral ports
Click **Save**.
**NOTE:** You will need to amend this alias as per your own networks requirements, but this should get you started.
To better understand what needs you have, enable firewall logging and review the firewall logs which will illustrate which ports are being used or blocked.
----
Return to [[PFSense:Install pfSense|Install pfSense]] or continue to [[PFSense:Install pfSense:Create Firewall Rules|Create Firewall Rules]].
----