Navigate to System → General Setup.
In DNS Server Settings:
The DNS Servers here will not actually be used outside of this initial setup. This is because Unbound will be configured as the DNS Resolver; and will handle DNS queries itself.
If, on the other hand, Unbound was configured to Forwarding Mode then it would forward all DNS traffic to the DNS servers here and it would not handle these queries itself. This is not wanted in this setup.
Navigate to System → General Setup.
In webConfigurator:
NOTE: The number of Dashboard Columns is personal preference. Change as needed.
Navigate to System → Advanced → Admin Access.
In Secure Shell:
NOTE: The webConfigurator will reload and the banner will display a red warning sign (to the top right) indicating pfSense has created SSH keys.
Click on Mark all as read to remove the warning.
Navigate to System → Advanced → Firewall & NAT.
In Firewall Advanced:
In Bogon Networks:
NOTE: Bogon IP addresses and IP ranges are reserved for special use, such as for local or private networks, and should not appear on the public internet.
Bogon addresses are not static. Addresses get assigned and unassigned and changed. So while the core of a bogon list may remain the same for long periods of time the list is dynamic enough to need to be frequently updated in order for it to be used to block.
Bogon packets are useful to cybercriminals because the packets cannot be attributed to an actual host (since the source IP is bogus). Therefore bogon packets are blocked on the WAN interface.
Blocking bogon networks is not suited for use on local/private interfaces such as LAN.
Navigate to System → Advanced → Networking.
In IPv6 Options:
NOTE: IPv6 could be disallowed here if not needed, but currently left Checked to ensure this is catered for.
In Network Interfaces:
Navigate to System → Advanced → Miscellaneous.
In Power Savings:
In Cryptographic & Thermal Hardware:
NOTE: The Cryptographic Hardware is assuming an AES-NI enabled Processor.
In Gateway monitoring:
ALERT: Take special note of the Skip rules when gateway is down option.
One might think that with the check mark unchecked, means that it skips rules when the gateway is down. But no, it means just the opposite!
The end result is that if the rules are routing your private traffic over a VPN, but then the VPN goes down for some reason, the system silently routes your traffic to the default network.
If there is a need to still allow a computer to access the internet anytime (even when VPN is down) then a rule will be needed in Firewall → Rules → LAN to allow the internal IP address there.
NOTE: These are important settings to reduce the chance of leaks in the event the VPN goes down for any reason.
Return to Install pfSense or continue to Create VLANs.