Wiki

User Tools

Site Tools

Trace: persisting_ramdisk_data run_selinux_in_permissive_mode div_100_height_with_padding_margin update_latest_amdgpu_firmware restrict_access_to_compilers create_firewall_rules install_docker_containers pfsense_configuration
pfsense:install_pfsense:pfsense_configuration

This is an old revision of the document!

Table of Contents

PFSense - Install pfSense - pfSense Configuration

DNS Server Settings

Navigate to System → General Setup.

In DNS Server Settings:

  • DNS servers: Any DNS Servers you want to use. The Servers here are not going to be used, as long as Unbound is not working in Forwarding Mode, so just leave it as default, since we are using the Resolver Option for Unbound.
    • Use Gateway: none. Only needed on Multi-WAN networks. As Unbound will be doing the Resolving, these configuration they are not used anyway.
  • DNS Server Override: Not Checked. To prevent any DNS configuration setup on the system being overridden by the ISP or other applications.
  • Disable DNS Forwarder: Not Checked. To have pfSense use it's local cache for lookups.
  • Click Save.

The DNS Servers here will not actually be used outside of this initial setup. This is because Unbound will be configured as the DNS Resolver; and will handle DNS queries itself.

If, on the other hand, Unbound was configured to Forwarding Mode then it would forward all DNS traffic to the DNS servers here and it would not handle these queries itself. This is not wanted in this setup.

webConfigurator

Navigate to System → General Setup.

In webConfigurator:

  • Dashboard Columns: 3.
  • Click Save.

NOTE: The number of Dashboard Columns is personal preference. Change as needed.

Enable SSH Access

Navigate to System → Advanced → Admin Access.

In Secure Shell:

  • Enable Secure Shell: Checked.
  • SSHd Key Only: Password or Public Key.
  • Allow Agent Forwarding: Not Checked.
  • SSH Port: 22.
  • Click Save.

NOTE: The webConfigurator will reload and the banner will display a red warning sign (to the top right) indicating pfSense has created SSH keys.

Click on Mark all as read to remove the warning.

Firewall & NAT Configuration

Navigate to System → Advanced → Firewall & NAT.

In Firewall Advanced:

  • Firewall Optimization Options: Normal. Conservative can also be used, which tries to avoid dropping legitimate idle connections at expense of memory and CPU utilization to help VOIP.
  • Firewall Maximum States: <leave at default>. Default.
  • Firewall maximum table entries: 1000000. Possibly increased from default setting.

In Bogon Networks:

  • Update Frequency: Monthly.
  • Click Save.

NOTE: Bogon IP addresses and IP ranges are reserved for special use, such as for local or private networks, and should not appear on the public internet.

Bogon addresses are not static. Addresses get assigned and unassigned and changed. So while the core of a bogon list may remain the same for long periods of time the list is dynamic enough to need to be frequently updated in order for it to be used to block.

Bogon packets are useful to cybercriminals because the packets cannot be attributed to an actual host (since the source IP is bogus). Therefore bogon packets are blocked on the WAN interface.

Blocking bogon networks is not suited for use on local/private interfaces such as LAN.

Networking

Navigate to System → Advanced → Networking.

In IPv6 Options:

  • Allow IPv6: Checked.

NOTE: IPv6 could be disallowed here if not needed, but currently left Checked to ensure this is catered for.

In Network Interfaces:

  • Hardware Checksum Offloading: Not Checked. If not using Intel NICs then have this Checked.
  • Hardware TCP Segmentation Offloading: Checked.
  • Hardware Large Receive Offloading: Checked.
  • Suppress ARP handling: Not Checked.
  • Reset All States: Not Checked.
  • Click Save.

Miscellaneous Configuration

Navigate to System → Advanced → Miscellaneous.

In Power Savings:

  • PowerD: Checked.
  • AC Power: Hiadaptive.
  • Battery Power: Hiadaptive.
  • Unknown Power: Hiadaptive.

In Cryptographic & Thermal Hardware:

  • Cryptographic Hardware: AES-NI CPU-based Acceleration.
  • Thermal Sensors: Intel Core CPU on-die thermal sensor.

NOTE: The Cryptographic Hardware is assuming an AES-NI enabled Processor.

In Gateway monitoring:

  • State Killing on Gateway Failure: Not Checked.
  • Skip rules when gateway is down: Checked.

NOTE: These are important settings to reduce the chance of leaks in the event the VPN goes down for any reason.

  • Click Save.

Return to Install pfSense or continue to Create VLANs.

pfsense/install_pfsense/pfsense_configuration.1609853340.txt.gz · Last modified: 2021/01/05 13:29 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki