pfSense Basic Configuration


I recently restructured my Proxmox server so that all traffic incoming and outgoing, goes through a pfSense router. The main goal of this is to provided consistent IP addresses to all the virtual machines and containers running on the host. The general setup of pfSense went smoothly, for the most part.

If at any point you lose access to the dashboard becuase of the firewall rules, you can disable them temporarily by running pfctl -d

Setup

This setup assumes that the WAN interface (called vtnet0) receives a DHCP address from the local network and the LAN network (called vtnet1) has the address 10.0.0.1/24. That is, 10.0.0.1 to 10.0.0.255.

To install, just follow the setup steps choosing the default options. Once pfSense is installed and the dashboard can be accessed, the setup can continue again


Dashboard

After the install run the pfctl -d command to ensure access to the dashboard on WAN. Once this is down you can access the dashboard in your browser at http://<dhcp-wan-address>. This will land you on the setup wizard of pfSense.

Wizard / pfSense Setup / General Information

  • Hostname [pfsense]
  • Domain [localdomain]
  • Primary DNS [8.8.8.8]
  • Secondary DNS [8.8.4.4]
  • Override DNS [true]

Wizard / pfSense Setup / Configure WAN Interface

  • Selected Type [dhcp]
  • Block RFC1918 Private Networks [false]
  • Block bogon networks [false]

Leave all other values as they are

Wizard / pfSense Setup / Configure LAN Interface

  • LAN IP Address [10.0.0.1]
  • Subnet Mask [24]

Wizard / pfSense Setup / Set Admin WebGUI Password

Be sensible. Make sure you set a strong password


Firewall

The firewall is where things get interesting. If this is misconfigured, you can easily manage to lock yourself out of the dashboard and prevent any clients from accessing the internet.

Firewall / Aliases / Ports

To make some of the other setup easier, we can define an alias for the pfSense admin ports. This means that when creating rules, the alias can be used instead of individual ports.

Create an alias called pfsense_admin with the following ports attached to it:

  • 8080 (pfSense dashboard)
  • 2222 (pfSense SSH)

Firewall / Rules / WAN

We need to create a rule which will allow access to the dashboard from the WAN network. Normally this is blocked but as the WAN network is the normal home network we can allow it.

Create a new rule with the following:

  • Action [Pass]
  • Interface [WAN]
  • Source [any]
  • Destination [This firewall (self)]
  • Destination Port Range
    • From [other]
    • Custom [pfsense_admin]
    • To [other]
    • Custom [pfsense_admin]

Now that this rule has been added we can go about changing the port which the pfSense web GUI runs on

System / Advanced / Admin Access

  • Protocol [https]
  • TCP Port [8080]
  • Secure Shell Server [true]
  • SSHd Key Only [Password or Public Key]
  • SSH Port [2222]

This will tell pfSense to run the web gui on port 8080 and allow SSH access on port 2222. All the other settings here can be left alone.


Static IP Leases

It can be useful to ensure that a host always has the same IP address. The easiest wasy to do this is to first connect the host to the pfSense network. This wasy pfSense will assign it a dynamic IP address, meaning it shows up in the DHCP leases section of the dashboard (found at ‘Status / DHCP Leases').

Once on this dashboard, there should be a small plus icon on the far right on the DHCP entry. Clicking this will redirect you to a page where you can edit the static address for the host. The advantage of this is that it auto fills the client MAC address field and the hostname. From here you can set the IP address (must be in the range 10.0.0.10 to 10.0.0.245). Additionally, you can specify a description to be shown next to the mapping.