====== PFSense - Install pfSense - Create Firewall Rules ====== ====== WAN Firewall Rules ====== Navigate to **Firewall -> Rules -> WAN**. There should be two default rules already created on this page, due to the autogeneration of rules option configured on the WAN Interface. {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_wan_-_default_rules.png?800|}} ---- ====== LAN Firewall Rules ====== Navigate to **Firewall -> Rules -> LAN**. LAN Firewall rules will cover: * Anti-Lockout to ensure you can always gain access to pfSense. * Allow ICMP pings to facilitate debugging. * Allow all other traffic, internal and external. ---- ===== Anti-Lockout ===== There should be a default **Anti-Lockout** rule already created on this page. {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_anti-lockout_rule.png?800|}} ---- ===== Allow ICMP Pings ===== * Click **Add (up arrow)**. Add this above the default **Permit Traffic Rules**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **LAN**. * Address Family: **IPv4**. * Protocol: **ICMP**. * ICMP subtype: **echo request**. * Source: **LAN net**. * Destination: **Any**. * Log: **Not Checked**. * Description: **LAN - Allow ICMP Ping**. {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_allow_pings.png?800|}} **NOTE:** This is not actually needed here, as the **Permit Traffic Rules** defined next will also allow pings. The reason this is included here separately is that we log any pings, and to cater for future changes. ---- ===== Permit Traffic Rules ===== There should already be default Permit Traffic Rules. {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_permit_traffic_rules.png?800|}} **NOTE:** These rules allow all traffic through from the LAN. This may be too Open, as they allow all traffic. To secure this better, these default rules could be blocked and replaced with only allowing specific traffic. ---- The final ruleset for the LAN will be: {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan.png?800|}} ---- ====== CLEAR Firewall Rules ====== Navigate to **Firewall -> Rules -> CLEAR**. The requirements for this interface are: * Allow access to the Printers. * Allow internet traffic. ---- ===== Allow traffic from CLEAR interface to Printers ===== Navigate to **Firewall -> Rules**. Select **CLEAR**. * Click **Add (up arrow)**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **CLEAR** * Address Family: **IPv4**. * Protocol: **TCP/UDP**. * Source: **CLEAR net**. * Destination: * Invert Match: **Not Checked**. * Single Host or alias: **PRINTERS**. * Log: **Checked**. * Description: **Allow CLEAR to Printer**. **NOTE:** This allows users of the CLEAR network to access the Printers. ---- ===== Allow traffic from CLEAR interface to the Internet ===== Navigate to **Firewall -> Rules**. Select **CLEAR**. * Click **Add (up arrow)**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **CLEAR** * Address Family: **IPv4**. * Protocol: **ANY**. * Source: **CLEAR net**. * Destination: **any**. * Log: **Checked**. * Description: **Allow CLEAR to any**. **NOTE:** This allows users of the CLEAR network to access the internet. ---- The final ruleset for the CLEAR will be: {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_clear.png?800|}} ---- ====== IOT Firewall Rules ====== Navigate to **Firewall -> Rules -> IOT**. IOT devices should be prevented from accessing anything that is not-essential to them. The requirements for the IOT interface are: * Allow ICMP pings to facilitate debugging. * Redirect any non-local DNS lookups. * Redirect any non-local NTP time lookups. * Deny traffic to other internal interfaces. * Deny traffic to any local networks. * Allow internet traffic via default gateway. * Reject any other traffic. ---- ===== Allow ICMP Pings ===== * Click **↴+Add**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **IOT**. * Address Family: **IPv4**. * Protocol: **ICMP**. * ICMP subtype: **echo request**. * Source: **IOT net**. * Destination: **Any**. * Log: **Not Checked**. * Description: **IOT - Allow ICMP Ping**. ---- ===== Redirect DNS lookups ===== Navigate to **Firewall -> NAT**. Select **Port Forward**. Click **Add**. * Disabled: **Not Checked**. * No RDR (NOT): **Not Checked**. * Interface: **IOT**. * Protocol: **TCP/UDP**. * Source: **IOT net**. * Source port range: * From: **Any**. * To: **Any**. * Destination: * Invert Match: **Checked**. * Source: **IOT address**. * Destination target port range: * From: **DNS**. * To: **DNS**. * Redirect target IP: **127.0.0.1**. * Redirect target port: **DNS**. * Description: **IOT DNS redirect**. * No XMLRPC Sync: **Not Checked**. * NAT reflection: **Use system default**. * Filter rule association: **Add associated filter rule**. Click **Save** and Apply. ---- ===== Redirect NTP lookups ===== Navigate to **Firewall -> NAT**. Select **Port Forward**. Click **Add**. * Disabled: **Not Checked**. * No RDR (NOT): **Not Checked**. * Interface: **IOT**. * Protocol: **UDP**. * Source: **IOT net**. * Source port range: * From: **Any**. * To: **Any**. * Destination: * Invert Match: **Checked**. * Source: **IOT address**. * Destination target port range: * From: **NTP**. * To: **NTP**. * Redirect target IP: **127.0.0.1**. * Redirect target port: **NTP**. * Description: **IOT NTP redirect**. * No XMLRPC Sync: **Not Checked**. * NAT reflection: **Use system default**. * Filter rule association: **Add associated filter rule**. Click **Save** and Apply. ---- ===== Validate DNS & NTP Redirects ===== Navigate to **Firewall -> Rules**. Select **IOT**. There should be two rules created for the NTP and DNS redirects at the bottom. ---- ===== Reject traffic to other internal interfaces ===== Navigate to **Firewall -> Rules**. Click **IOT**. * Click **↴+Add**. * Action: **Reject**. * Disabled: **Not Checked**. * Interface: **IOT** * Address Family: **IPv4** * Protocol: **TCP/UDP**. * Source: **IOT net**. * Destination: * Invert match: **Not Checked**. * **Single host or alias**. * Address: **LOCAL_SUBNETS**. * Destination Port Range: * From: **Any**. * To: **Any**. * Log: **Not Checked**. * Description: **IOT - Reject internal interfaces**. * Click **Save**. **NOTE:** Reject is used, instead of Block, as it returns quicker. ---- ===== Allow IOT to Access the Internet ===== * Click **↴+Add**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **IOT** * Address Family: **IPv4**. * Protocol: **TCP/UDP** * Source: **IOT net**. * Destination * Invert match: **Checked**. * **Single host or alias**. * Address: **LOCAL_SUBNETS**. * Destination Port Range: * From: **Any**. * To: **Any**. * Log: **Not Checked**. * Description: **IOT - Allow traffic to WAN**. * Click **Save**. ---- ===== Block unknown IPv4 ===== * Click **↴+Add** * Action: **Reject**. * Disabled: **Not Checked**. * Interface: **IOT**. * Address Family: **IPv4**. * Protocol: **Any**. * Source = **Any**. * Destination: **Any**. * Log: **Checked**. * Description: **IOT - Block IPv4**. * Click **Save**. **NOTE:** Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur. ---- ===== Block unknown IPv6 ===== * Click **↴+Add**. * Action: **Reject**. * Disabled: **Not Checked**. * Interface: **IOT**. * Address Family: **IPv6**. * Protocol: **Any**. * Source: **Any**. * Destination: **Any**. * Log: **Not Checked**. * Description: **IOT - Block IPv6**. * Click **Save**. **NOTE:** Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur. ---- The final ruleset for the IOT will be: {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_iot.png?800|}} ---- ====== GUEST Firewall Rules ====== Guests are not allowed to access any internal devices or subnets. The requirements for the guest interface are: * Allow ICMP pings to facilitate debugging. * Deny traffic to other internal interfaces. * Deny traffic to any local networks. * Allow internet traffic via default gateway. * Allow non-local DNS lookups. * Allow non-local NTP time lookups. * Allow Guest-to-Guest network traffic. * Reject any other traffic. ---- ===== Allow ICMP Pings ===== Navigate to **Firewall -> Rules**. Click **GUEST**. * Click **↴+Add**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **GUEST**. * Address Family: **IPv4**. * Protocol: **ICMP**. * ICMP subtype: **echo request**. * Source: **GUEST net**. * Destination: **Any**. * Log: **Not Checked**. * Description: **GUEST - Allow ICMP Ping**. ---- ===== Deny traffic to other internal interfaces ===== * Click **↴+Add**. * Action: **Reject**. * Disabled: **Not Checked**. * Interface: **GUEST** * Address Family: **IPv4** * Protocol: **TCP/UDP**. * Source: **GUEST net**. * Destination: * Invert match: **Not Checked**. * **Single host or alias**. * Address: **LOCAL_SUBNETS**. * Destination Port Range: * From: **Any**. * To: **Any**. * Log: **Checked**. * Description: **GUEST - Reject internal interfaces**. * Click **Save**. ---- ===== Allow Guest to Access the Internet ===== This permits the external access including DNS/port 53 and NTP/port 123 traffic. * Click **↴+Add**. * Action: **Pass**. * Disabled: **Not Checked**. * Interface: **GUEST** * Address Family: **IPv4**. * Protocol: **any** * Source: **GUEST net**. * Destination: **any**. * Log: **Not Checked**. * Description: **Allow GUEST to any**. * Click **Save**. **NOTE:** On the **GUEST** network no redirection is made for DNS (port 53) or NTP (port 123) traffic, so this rule will also allow this traffic out. ---- The final ruleset for the GUEST will be: {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_guest.png?800|}} ---- Return to [[PFSense:Install pfSense|Install pfSense]] or continue to [[PFSense:Install pfSense:Reboot and Verify|Reboot and Verify]]. ----