Defensive Lab Series: PFSense Configuration

pfsense configuration
All Blog

In the previous post, we covered the process of installing Pfsense. In this post, we’ll be doing pfsense configuration to route our network traffic through the pfsense firewall. If you haven’t read part 1 of this then I highly recommend you read that first as I’ll be continuing from exactly where we left.

Read part 1: http://blog.certcube.com/corporate-pfsense-installation-lab

PFsense Configuration

Before anything we need to set our LAN interface so that we can access our WEB Interface.

So Enter 2

pfsense configuration 1

We are configuring our LAN so select 2

Enter the IPv4: 10.0.0.254 ( the one we gave to our LAN network in the begging )

Subnet bit count for this one is 32 bits so enter that

pfsense configuration 2
  • We do not need a upstream gateway so leave blank and continue with LAN.
  • We are not using any IPv6 so leave it black.
  • IN the beginning, we didn’t enable DHCP service as mentioned in the beginning we will be doing that in the router as we will be routing the traffic through pfsence so enable it here enter Y.
  • Now assign the START and END range of the network.
  • Also, we will be using HTTPS so enter n
pfsense configuration 3

Now open the web browser ( HOST ) and visit

https://10.0.0.254

Click advanced

Accept risk and continue

pfsense configuration 4
pfsense configuration 5

DEFAULT CREDENTIALS ARE

USERNAME: admin

PASS: pfsense

pfsense configuration 6

As with anything it is not recommended to use default credentials so change them.

Before we move forward and start configuring firewall rules and additional service packages we need to configure the system.

pfsense configuration 7
pfsense configuration 8

If you have a domain on which you want to host pfsence or on the central server of your organisation enter that here we’ll be using local domain only.

Also, DNS servers are of google just so that we have internet connectivity.

pfsense configuration 9

In an actual organization environment, we don’t do that. There we set a cloud so that we can ping that and our IP becomes our DNS.

pfsense configuration 10

Select you Timezone

pfsense configuration 11

Now to configure the WAN interface if you are in an organisation then enter the static IP provided by your ISP or if you are using it home then use DHCP.

pfsense configuration 12

Keep these checked to block intrusion.

pfsense configuration 13

We already configure LAN in the beginning so it’s already done click next.

pfsense configuration 14

Now enter the password and continue

pfsense configuration 15

Click RELOAD.

pfsense configuration 16

Click Finish

pfsense configuration 17

Accept the User Terms and continue.

At the Home screen, there is hardware, network, and current system information.

pfsense configuration 18

To check whether we have network connectivity

Go to Diagnostics > Ping

Check for both the Interfaces

Now we need to configure our virtual networks.

Go to Interfaces > Assignments

pfsense configuration 19

We already have our WAN and LAN configured we need 2 more Interfaces to assign to our Virtual networks.

Click ADD

pfsense configuration 20

Click OPT1 To configure

pfsense configuration 21
  • ENABLE
  • RENAME TO LAN2
  • STATIC IPv4
pfsense configuration 22

Enter any IP from the range we gave to LAN2. Here we assign it at the end of the spectrum.

pfsense configuration 23

We Do not need to block anything as we have already done in the WAN.

pfsense configuration 24

Click Save and apply changes.

pfsense configuration 25

Now we need to same with OPT2 for DMZ.

pfsense configuration 26
  • ENABLE INTERFACE
  • NAME: DMZ
  • TYPE: STATIC IPv4
pfsense configuration 27

IP from the range we assigned to DMZ

pfsense configuration 28

Same here as we did in LAN2.

pfsense configuration 29

Click Save and Apply Changes

pfsense configuration 30

And we are done with the configuration of our interfaces.

pfsense configuration 31

To check the connectivity

Go to Diagnostics > Ping

And both we have connectivity.

With this our pfsense configuration is complete. Now all we have to add firewall rules to our interfaces and connect other virtual machines to our pfsense router instead of NAT to rout the traffic through pfsence.

Firewall Configuration

So now that our pfsence is properly configured we need to add some basic firewall rules. As we don’t want

  • LAN
  • LAN2
  • DMZ

Interconnecting unnecessarily. But before that, we need to turn on DHCP Service to access the internet. SERVICES > DHCP Server > LAN2

firewall configuration 1

Scroll down Click save and then Click Restart service or else it won’t take effect.

firewall configuration 2

Same with DMZ

firewall configuration 3

Now Click

Firewall > Rules

Here we have some pre-configured rules for WAN and LAN Interfaces.

firewall configuration 4

For LAN the first one is the Anti-Lockout rule. Do not change or remove it as if done so you won’t be able to access the web configurator and will have to do the system installation again and all the present configurations will be lost.

The other 2 Rules are to allow internet access with on the LAN interface. Firstly we need these 2 exactly same on the LAN 2 Interface.

To do so either we can create a new rule from scratch or we can simply copy the rule to the LAN2 interface. To copy the Rule Click Copy (as shown above ).

Now change the interface to LAN2

Source to LAN2

Click Save

firewall configuration 5

Now Click Apply Changes. Either you can apply changes every single time you define a rule or can define all the rules and then click apply changes the results will be same.

firewall configuration 6

Now we need to add a few more rules so click on add rule to top.

firewall configuration 7

This one Blocks any connection from LAN2 to LAN Interface as we Don’t want the interconnecting in an organization.

firewall configuration 8

Another Block rule for LAN2 to DMZ.

firewall configuration 9

Once done click apply changes.

firewall configuration 10

Now for DMZ, we want a bit more extra rule sets.

Creating a rule is the same procedure as shown above.

firewall configuration 11

In DMZ we have done

  • BLOCK DMZ TO LAN
  • BLOCK DMZ TO LAN2
  • BLOCK DMZ TO FIREWALL ( Web Configuration interface as we don’t want to allow access to the firewall to any unauthorized person on the whole network )
  • ALLOW INTERNET OVER BOTH HTTP AMD HTTPS
  • ALLOW DNS TRAFFIC TO DMZ
  • ALLOW PING
  • ALLOW NTP ( for clock synchronization)

Leave a Reply

Your email address will not be published. Required fields are marked *