Table of Contents
PFSense - Install pfSense - Create Firewall Rules
WAN Firewall Rules
Navigate to Firewall → Rules → WAN.
There should be two default rules already created on this page, due to the autogeneration of rules option configured on the WAN Interface.
LAN Firewall Rules
Navigate to Firewall → Rules → LAN.
LAN Firewall rules will cover:
- Anti-Lockout to ensure you can always gain access to pfSense.
- Allow ICMP pings to facilitate debugging.
- Allow all other traffic, internal and external.
Anti-Lockout
There should be a default Anti-Lockout rule already created on this page.
Allow ICMP Pings
- Click Add (up arrow). Add this above the default Permit Traffic Rules.
- Action: Pass.
- Disabled: Not Checked.
- Interface: LAN.
- Address Family: IPv4.
- Protocol: ICMP.
- ICMP subtype: echo request.
- Source: LAN net.
- Destination: Any.
- Log: Not Checked.
- Description: LAN - Allow ICMP Ping.
NOTE: This is not actually needed here, as the Permit Traffic Rules defined next will also allow pings.
The reason this is included here separately is that we log any pings, and to cater for future changes.
Permit Traffic Rules
There should already be default Permit Traffic Rules.
NOTE: These rules allow all traffic through from the LAN.
This may be too Open, as they allow all traffic.
To secure this better, these default rules could be blocked and replaced with only allowing specific traffic.
The final ruleset for the LAN will be:
CLEAR Firewall Rules
Navigate to Firewall → Rules → CLEAR.
The requirements for this interface are:
- Allow access to the Printers.
- Allow internet traffic.
Allow traffic from CLEAR interface to Printers
Navigate to Firewall → Rules.
Select CLEAR.
- Click Add (up arrow).
- Action: Pass.
- Disabled: Not Checked.
- Interface: CLEAR
- Address Family: IPv4.
- Protocol: TCP/UDP.
- Source: CLEAR net.
- Destination:
- Invert Match: Not Checked.
- Single Host or alias: PRINTERS.
- Log: Checked.
- Description: Allow CLEAR to Printer.
NOTE: This allows users of the CLEAR network to access the Printers.
Allow traffic from CLEAR interface to the Internet
Navigate to Firewall → Rules.
Select CLEAR.
- Click Add (up arrow).
- Action: Pass.
- Disabled: Not Checked.
- Interface: CLEAR
- Address Family: IPv4.
- Protocol: ANY.
- Source: CLEAR net.
- Destination: any.
- Log: Checked.
- Description: Allow CLEAR to any.
NOTE: This allows users of the CLEAR network to access the internet.
The final ruleset for the CLEAR will be:
IOT Firewall Rules
Navigate to Firewall → Rules → IOT.
IOT devices should be prevented from accessing anything that is not-essential to them.
The requirements for the IOT interface are:
- Allow ICMP pings to facilitate debugging.
- Redirect any non-local DNS lookups.
- Redirect any non-local NTP time lookups.
- Deny traffic to other internal interfaces.
- Deny traffic to any local networks.
- Allow internet traffic via default gateway.
- Reject any other traffic.
Allow ICMP Pings
- Click ↴+Add.
- Action: Pass.
- Disabled: Not Checked.
- Interface: IOT.
- Address Family: IPv4.
- Protocol: ICMP.
- ICMP subtype: echo request.
- Source: IOT net.
- Destination: Any.
- Log: Not Checked.
- Description: IOT - Allow ICMP Ping.
Redirect DNS lookups
Navigate to Firewall → NAT.
Select Port Forward.
Click Add.
- Disabled: Not Checked.
- No RDR (NOT): Not Checked.
- Interface: IOT.
- Protocol: TCP/UDP.
- Source: IOT net.
- Source port range:
- From: Any.
- To: Any.
- Destination:
- Invert Match: Checked.
- Source: IOT address.
- Destination target port range:
- From: DNS.
- To: DNS.
- Redirect target IP: 127.0.0.1.
- Redirect target port: DNS.
- Description: IOT DNS redirect.
- No XMLRPC Sync: Not Checked.
- NAT reflection: Use system default.
- Filter rule association: Add associated filter rule.
Click Save and Apply.
Redirect NTP lookups
Navigate to Firewall → NAT.
Select Port Forward.
Click Add.
- Disabled: Not Checked.
- No RDR (NOT): Not Checked.
- Interface: IOT.
- Protocol: UDP.
- Source: IOT net.
- Source port range:
- From: Any.
- To: Any.
- Destination:
- Invert Match: Checked.
- Source: IOT address.
- Destination target port range:
- From: NTP.
- To: NTP.
- Redirect target IP: 127.0.0.1.
- Redirect target port: NTP.
- Description: IOT NTP redirect.
- No XMLRPC Sync: Not Checked.
- NAT reflection: Use system default.
- Filter rule association: Add associated filter rule.
Click Save and Apply.
Validate DNS & NTP Redirects
Navigate to Firewall → Rules.
Select IOT.
There should be two rules created for the NTP and DNS redirects at the bottom.
Reject traffic to other internal interfaces
Navigate to Firewall → Rules.
Click IOT.
- Click ↴+Add.
- Action: Reject.
- Disabled: Not Checked.
- Interface: IOT
- Address Family: IPv4
- Protocol: TCP/UDP.
- Source: IOT net.
- Destination:
- Invert match: Not Checked.
- Single host or alias.
- Address: LOCAL_SUBNETS.
- Destination Port Range:
- From: Any.
- To: Any.
- Log: Not Checked.
- Description: IOT - Reject internal interfaces.
- Click Save.
NOTE: Reject is used, instead of Block, as it returns quicker.
Allow IOT to Access the Internet
- Click ↴+Add.
- Action: Pass.
- Disabled: Not Checked.
- Interface: IOT
- Address Family: IPv4.
- Protocol: TCP/UDP
- Source: IOT net.
- Destination
- Invert match: Checked.
- Single host or alias.
- Address: LOCAL_SUBNETS.
- Destination Port Range:
- From: Any.
- To: Any.
- Log: Not Checked.
- Description: IOT - Allow traffic to WAN.
- Click Save.
Block unknown IPv4
- Click ↴+Add
- Action: Reject.
- Disabled: Not Checked.
- Interface: IOT.
- Address Family: IPv4.
- Protocol: Any.
- Source = Any.
- Destination: Any.
- Log: Checked.
- Description: IOT - Block IPv4.
- Click Save.
NOTE: Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
Block unknown IPv6
- Click ↴+Add.
- Action: Reject.
- Disabled: Not Checked.
- Interface: IOT.
- Address Family: IPv6.
- Protocol: Any.
- Source: Any.
- Destination: Any.
- Log: Not Checked.
- Description: IOT - Block IPv6.
- Click Save.
NOTE: Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
The final ruleset for the IOT will be:
GUEST Firewall Rules
Guests are not allowed to access any internal devices or subnets.
The requirements for the guest interface are:
- Allow ICMP pings to facilitate debugging.
- Deny traffic to other internal interfaces.
- Deny traffic to any local networks.
- Allow internet traffic via default gateway.
- Allow non-local DNS lookups.
- Allow non-local NTP time lookups.
- Allow Guest-to-Guest network traffic.
- Reject any other traffic.
Allow ICMP Pings
Navigate to Firewall → Rules.
Click GUEST.
- Click ↴+Add.
- Action: Pass.
- Disabled: Not Checked.
- Interface: GUEST.
- Address Family: IPv4.
- Protocol: ICMP.
- ICMP subtype: echo request.
- Source: GUEST net.
- Destination: Any.
- Log: Not Checked.
- Description: GUEST - Allow ICMP Ping.
Deny traffic to other internal interfaces
- Click ↴+Add.
- Action: Reject.
- Disabled: Not Checked.
- Interface: GUEST
- Address Family: IPv4
- Protocol: TCP/UDP.
- Source: GUEST net.
- Destination:
- Invert match: Not Checked.
- Single host or alias.
- Address: LOCAL_SUBNETS.
- Destination Port Range:
- From: Any.
- To: Any.
- Log: Checked.
- Description: GUEST - Reject internal interfaces.
- Click Save.
Allow Guest to Access the Internet
This permits the external access including DNS/port 53 and NTP/port 123 traffic.
- Click ↴+Add.
- Action: Pass.
- Disabled: Not Checked.
- Interface: GUEST
- Address Family: IPv4.
- Protocol: any
- Source: GUEST net.
- Destination: any.
- Log: Not Checked.
- Description: Allow GUEST to any.
- Click Save.
NOTE: On the GUEST network no redirection is made for DNS (port 53) or NTP (port 123) traffic, so this rule will also allow this traffic out.
The final ruleset for the GUEST will be:
Return to Install pfSense or continue to Reboot and Verify.