PFSense - Install pfSense - Create Firewall Aliases

PFSense - Install pfSense - Create Firewall Aliases

Create a few aliases which we will use in the creation of the firewall rules later.

These simplify the job of making changes in future especially as we add more interfaces and functionality to our network.

Define Alias for Local Subnets

Create an alias to define the internal subnet we are using.

Navigate to Firewall → Aliases → IP.

Click Add.

Name: LOCAL_SUBNETS.
Description: local subnets
Type: Networks.
Network: 192.168.0.0.
CIDR: 16.
Comment: LAN (192.168.0.0 - 192.168.255.255).

Click Save.

NOTE: Other local subnets could also be included if they are used such as:

10.0.0.0/8
172.16.0.0/12

Define Alias for Printers

Create an alias to define the printers we are using.

Navigate to Firewall → Aliases → IP.

Click Add.

Name: PRINTERS.
Description: local subnets
Type: Host(s).
Network: 192.168.1.100.
Comment: HP Officejet Pro 8620.

Click Save.

NOTE: This alias will be used in firewall rules to grant users of other VLANs access to the Printers:

The other aliases below here still need to be worked out properly, so ignore for now.

Define Alias for Ubiquiti

Navigate to Firewall → Aliases → Ports.

Click Add.

Name = Ubiquiti_TCP.
Description = Ubiquiti Ports TCP (Internal Only).
Type: Ports.
Ports(s):
- 8080 : Device and controller communication.
- 8443 : Controller GUI/API as seen in a web browser.
- 8843 : HTTPS portal redirection.
- 8880 : HTTP portal redirection.

Click Save.

Click Add.

Name = Ubiquiti__UDP.
Description = Ubiquiti Ports UDP (Internal Only).
Type: Ports.
Ports(s):
- 1900 : “Make controller discoverable on L2 network” in controller settings.
- 3478 : STUN.
- 5514 : Remote Syslog Capture.
- 10001 : Device discovery. UBNT Broadcast.

Click Save.

Define Alias for Plex

Navigate to Firewall → Aliases → Ports.

Click Add.

Name = Plex_Ports_TCP.
Description = Plex Ports TCP (Internal Only).
Type: Ports.
Ports(s):
- 3005 : Plex Home Theater via Plex Companion.
- 8324 : Plex for Roku via Plex Companion.
- 32400 : Plex Media Server.
- 32469 : Plex DLNA Server.

Click Save.

Click Add.

Name = Plex_Ports_UDP.
Description = Plex Ports UDP (Internal Only).
Type: Ports.
Ports(s):
- 1900 : Plex DLNA Server
- 5353 : Bonjour/Avahi network discovery.
- 32410, 32412:32414 : GDM network discovery

Click Save.

Define Alias for Chromecast Ports

Navigate to Firewall → Aliases → Ports.

Click Add.

Name: Chromecast_Ports_TCP.
Description: Chromecast_Ports_TCP.
Type: Ports.
Ports(s):
- 8008, 8009 : Chromecast Ports.
- 8443 : Required for the Google Home app on Android.

Click Add.

Name: Chromecast_Ports_UDP.
Description: Chromecast_Ports_UDP.
Type: Ports.
Ports(s):
- 1900 : SSDP.
- 5353 : Bonjour services/discovery.
- 5556, 5558 : Videostream Ports.
- 32768:61000 : Chromecast Ports.

Allow both TCP ports 8008 and 8009 outbound to the Chromecast device.
Allow high UDP ports both incoming and outgoing. “High ports” are the local ports usually ranging 32768-61000.
Allow the special SSDP packets outbound (which is UDP traffic to the multicast IP 239.255.255.250, destination port 1900) which is used to check for other Google devices in the same network. Google devices reply with the Source IP to this packet.

See: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html

See: https://help.ui.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network

Define Alias for FTPes Ports

Navigate to Firewall → Aliases → Ports.

Click Add.

Name = FTPes_Ports.
Description = FTPes_Ports.
Type: Ports.
Ports(s):
- 55000:55005 : FTPes Ports.

Define Alias for Other Ports allowed to communicate between internal subnets

Create a list of ports to define what traffic is permitted to traverse between local subnets.

Navigate to Firewall → Aliases → Ports.

Click Add.

Name = Allowed_OUT_Ports_LAN.
Description: Allowed LAN Ports.
Type: Ports.
Ports(s):
- 21 : FTP
- 22 : SSH
- 53 : DNS
- 80 : HTTP
- 123 : NTP
- 161 : SNMP
- 427 : SLP (Printer scanner)
- 443 : HTTPS
- 515 : LPD (Printer)
- 631 : IPP (Printer)
- 853 : DNS TLS
- 3389 : Remote desktop
- 5001 : iPerf
- 5353:5354 : MDNS
- 5900 : IPMI
- 9000 : VNC
- 49152:65535 : Ephemeral ports

Click Save.

NOTE: You will need to amend this alias as per your own networks requirements, but this should get you started.

To better understand what needs you have, enable firewall logging and review the firewall logs which will illustrate which ports are being used or blocked.

Define Alias for Ports allowed to access the internet

Navigate to Firewall → Aliases → Ports.

Click Add.

Name = Allowed_OUT_Ports_WAN.
Description: Allowed WAN Ports.
Type: Ports.
Ports(s):
- 21 : FTP
- 22 : SSH
- 53 : DNS
- 80 : HTTP
- 119 : NNTP
- 143 : IMAP
- 443 : HTTPS
- 465 : SMTPS
- 587 : SMTPS
- 993 : IMAPS
- 5222 : XMPP
- 6667 : IRC
- 6697 : IRCS
- 8080 : HTTP Alt
- 8443 : CalDAV
- 8843 : CardDAV
- 49152:65535 : Ephemeral ports

Click Save.

NOTE: You will need to amend this alias as per your own networks requirements, but this should get you started.

To better understand what needs you have, enable firewall logging and review the firewall logs which will illustrate which ports are being used or blocked.

Return to Install pfSense or continue to Create Firewall Rules.

Table of Contents

PFSense - Install pfSense - Create Firewall Aliases

Define Alias for Local Subnets

Define Alias for Printers

Define Alias for Ubiquiti

Define Alias for Plex

Define Alias for Chromecast Ports

Define Alias for FTPes Ports

Define Alias for Other Ports allowed to communicate between internal subnets

Define Alias for Ports allowed to access the internet