Navigate to Firewall → Rules → WAN.

There should be two default rules already created on this page, due to the autogeneration of rules option configured on the WAN Interface.

LAN Firewall rules will cover:

• Anti-Lockout to ensure you can always gain access to pfSense.
• Allow ICMP pings to facilitate debugging.
• Allow traffic to the local networks on approved ports.
• Allow internet traffic on approved ports.
• Redirect any non-local DNS lookups back to the pfSense DNS server.
• Redirect any non-local NTP time lookups back to the pfSense time server.
• Reject any other traffic.

  NOTE: Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.

There should be a default Anti-Lockout rule already created on this page.

There should also be Permit Traffic Rules.

• Click Add (up arrow).
• Action: Pass.
• Disabled: Not Checked.
• Interface: LAN.
• Address Family: IPv4.
• Protocol: ICMP.
• ICMP subtype: echo request.
• Source: LAN net.
• Destination: Any.
• Log: Not Checked.
• Description: LAN - Allow ICMP Ping.

Navigate to Firewall → Rules.

Select LAN.

• Click Add (up arrow).
• Action: Pass.
• Disabled: Not Checked.
• Interface: LAN
• Address Family: IPv4.
• Protocol: TCP/UDP.
• Source: LAN net.
• Destination:
  • Invert Match: Not Checked.
  • Single Host or alias: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Other
  • Custom: Allowed_OUT_Ports_LAN.
  • To: Other.
  • Custom: Allowed_OUT_Ports_LAN.
• Log: Not Checked.
• Description: LAN - Allow traffic to local subnets.

We identify traffic destined for the internet as to an interface which is NOT a LOCAL_SUBNETS.

Navigate to Firewall → Rules.

Select LAN.

• Click Add (up arrow).
• Action: Pass.
• Disabled: Not Checked.
• Interface: LAN
• Address Family: IPv4.
• Protocol: TCP/UDP.
• Source: LAN net.
• Destination:
  • Invert Match: Checked.
  • Single Host or alias: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Other
  • Custom: Allowed_OUT_Ports_WAN.
  • To: Other.
  • Custom: Allowed_OUT_Ports_WAN.
• Log: Not Checked.
• Description: LAN - Allow traffic to WAN.

• Click ↴+Add
• Action: Reject.
• Disabled: Not Checked.
• Interface: LAN.
• Address Family: IPv4.
• Protocol: Any.
• Source = Any.
• Destination: Any.
• Log: Checked.
• Description: LAN - Block IPv4.
• Click Save.

• Click ↴+Add.
• Action: Reject.
• Disabled: Not Checked.
• Interface: LAN.
• Address Family: IPv6.
• Protocol: Any.
• Source: Any.
• Destination: Any.
• Log: Not Checked.
• Description: LAN - Block IPv6.
• Click Save.

The default Permit Traffic Rules rules should be right at the bottom.

They will never be reached, as the Block unknown IPv4 and Block unknown IPv6 rules would have blocked anything else.

However, to be safe it is suggested these be disabled.

Click the Tick Mark against these rules to disable them for now.

The requirements for this interface are:

• Allow ICMP pings to facilitate debugging.
• Allow traffic to local networks on approved ports.
• Allow internet traffic on approved ports via default gateway.
• Allow non-local DNS lookups. (DHCP allocates public DNS Servers).
• Allow non-local NTP time lookups.
• Reject any other traffic.

Navigate to Firewall → Rules.

Select CLEAR.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: LAN.
• Address Family: IPv4.
• Protocol: ICMP.
• ICMP subtype: echo request.
• Source: LAN net.
• Destination: Any.
• Log: Not Checked.
• Description: LAN - Allow ICMP Ping.

Navigate to Firewall → Rules.

Select CLEAR.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: CLEAR
• Address Family: IPv4.
• Protocol: TCP/UDP.
• Source: CLEAR net.
• Destination:
  • Invert Match: Not Checked.
  • Single Host or alias: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Other
  • Custom: Allowed_OUT_Ports_LAN.
  • To: Other.
  • Custom: Allowed_OUT_Ports_LAN.
• Log: Not Checked.
• Description: CLEAR - Allow traffic to local subnets.

We identify traffic destined for the internet as to an interface which is NOT a LOCAL_SUBNETS.

Navigate to Firewall → Rules.

Select CLEAR.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: CLEAR
• Address Family: IPv4.
• Protocol: TCP/UDP.
• Source: CLEAR net.
• Destination:
  • Invert Match: Checked.
  • Single Host or alias: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Other
  • Custom: Allowed_OUT_Ports_WAN.
  • To: Other.
  • Custom: Allowed_OUT_Ports_WAN.
• Log: Not Checked.
• Description: CLEAR - Allow traffic to WAN.

• Click ↴+Add
• Action: Reject.
• Disabled: Not Checked.
• Interface: CLEAR.
• Address Family: IPv4.
• Protocol: Any.
• Source: Any.
• Destination: Any.
• Log: Checked.
• Description: CLEAR - Block IPv4.
• Click Save.

• Click ↴+Add.
• Action: Reject.
• Disabled: Not Checked.
• Interface: CLEAR.
• Address Family: IPv6.
• Protocol: Any.
• Source: Any.
• Destination: Any.
• Log: Not Checked.
• Description: CLEAR - Block IPv6.
• Click Save.

IOT devices should be prevented from accessing anything that is not-essential to them.

The requirements for the IOT interface are:

• Allow ICMP pings to facilitate debugging.
• Deny traffic to other internal interfaces.
• Deny traffic to any local networks.
• Allow internet traffic via default gateway.
• Redirect any non-local DNS lookups.
• Redirect any non-local NTP time lookups.
• Reject any other traffic.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: IOT.
• Address Family: IPv4.
• Protocol: ICMP.
• ICMP subtype: echo request.
• Source: IOT net.
• Destination: Any.
• Log: Not Checked.
• Description: IOT - Allow ICMP Ping.

Navigate to Firewall → Rules.

Click IOT.

• Click ↴+Add.
• Action: Reject.
• Disabled: Not Checked.
• Interface: IOT
• Address Family: IPv4
• Protocol: TCP/UDP.
• Source: IOT net.
• Destination:
  • Invert match: Checked.
  • Single host or alias.
  • Address: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Any.
  • To: Any.
• Log: Not Checked.
• Description: IOT - Reject internal interfaces.
• Click Save.

Navigate to Firewall → NAT.

Select Port Forward.

Click Add.

• Disabled: Not Checked.
• No RDR (NOT): Not Checked.
• Interface: IOT.
• Protocol: TCP/UDP.
• Source: IOT net.
• Source port range:
  • From: Any.
  • To: Any.
• Destination:
  • Invert Match: Checked.
  • Source: IOT address.
• Destination target port range:
  • From: DNS.
  • To: DNS.
• Redirect target IP: 127.0.0.1.
• Redirect target port: DNS.
• Description: IOT DNS redirect.
• No XMLRPC Sync: Not Checked.
• NAT reflection: Use system default.
• Filter rule association: Add associated filter rule.

Click Save and Apply.

Navigate to Firewall → NAT.

Select Port Forward.

Click Add.

• Disabled: Not Checked.
• No RDR (NOT): Not Checked.
• Interface: IOT.
• Protocol: UDP.
• Source: IOT net.
• Source port range:
  • From: Any.
  • To: Any.
• Destination:
  • Invert Match: Checked.
  • Source: IOT address.
• Destination target port range:
  • From: NTP.
  • To: NTP.
• Redirect target IP: 127.0.0.1.
• Redirect target port: NTP.
• Description: IOT NTP redirect.
• No XMLRPC Sync: Not Checked.
• NAT reflection: Use system default.
• Filter rule association: Add associated filter rule.

Click Save and Apply.

Navigate to Firewall → Rules.

Select IOT.

There should be two rules created for the NTP and DNS redirects at the bottom.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: IOT
• Address Family: IPv4.
• Protocol: TCP/UDP
• Source: IOT net.
• Destination
  • Invert match: Checked.
  • Single host or alias.
  • Address: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Any.
  • To: Any.
• Log: Not Checked.
• Description: IOT - Pass WAN.
• Click Save.

• Click ↴+Add
• Action: Reject.
• Disabled: Not Checked.
• Interface: IOT.
• Address Family: IPv4.
• Protocol: Any.
• Source = Any.
• Destination: Any.
• Log: Checked.
• Description: IOT - Block IPv4.
• Click Save.

• Click ↴+Add.
• Action: Reject.
• Disabled: Not Checked.
• Interface: IOT.
• Address Family: IPv6.
• Protocol: Any.
• Source: Any.
• Destination: Any.
• Log: Not Checked.
• Description: IOT - Block IPv6.
• Click Save.

Guests are not allowed to access any internal devices or subnets.

The requirements for the guest interface are:

• Allow ICMP pings to facilitate debugging.
• Deny traffic to other internal interfaces.
• Deny traffic to any local networks.
• Allow internet traffic via default gateway.
• Allow non-local DNS lookups.
• Allow non-local NTP time lookups.
• Allow Guest-to-Guest network traffic.
• Reject any other traffic.

Navigate to Firewall → Rules.

Click GUEST.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: GUEST.
• Address Family: IPv4.
• Protocol: ICMP.
• ICMP subtype: echo request.
• Source: GUEST net.
• Destination: Any.
• Log: Not Checked.
• Description: GUEST - Allow ICMP Ping.

• Click ↴+Add.
• Action: Reject.
• Disabled: Not Checked.
• Interface: GUEST
• Address Family: IPv4
• Protocol: TCP/UDP.
• Source: GUEST net.
• Destination:
  • Invert match: Checked.
  • Single host or alias.
  • Address: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Any.
  • To: Any.
• Log: Not Checked.
• Description: GUEST - Reject internal interfaces.
• Click Save.

This permits the external access including DNS/port 53 and NTP/port 123 traffic.

• Click ↴+Add.
• Action: Pass.
• Disabled: Not Checked.
• Interface: GUEST
• Address Family: IPv4.
• Protocol: TCP/UDP
• Source: GUEST net.
• Destination
  • Invert match: Checked.
  • Single host or alias.
  • Address: LOCAL_SUBNETS.
• Destination Port Range:
  • From: Any.
  • To: Any.
• Log: Not Checked.
• Description: GUEST - Pass WAN.
• Click Save.

• Click ↴+Add
• Action: Reject.
• Disabled: Not Checked.
• Interface: GUEST.
• Address Family: IPv4.
• Protocol: Any.
• Source = Any.
• Destination: Any.
• Log: Checked.
• Description: GUEST - Block IPv4.
• Click Save.

• Click ↴+Add.
• Action: Reject.
• Disabled: Not Checked.
• Interface: GUEST.
• Address Family: IPv6.
• Protocol: Any.
• Source: Any.
• Destination: Any.
• Log: Not Checked.
• Description: GUEST - Block IPv6.
• Click Save.

Return to Install pfSense or continue to Reboot and Verify.