Pfsense and Ubiquiti questions

So I finally set up my pfsense box and ditched my old actiontec router that I got with fios which was a long time coming about 3 years in fact. Now I am running into a few issues.
The first is I know very little about network security and firewall rules. On my old actiontec router their was a button that said medium security so I clicked that, set a strong wifi password and went on with my day. Now I’m trying to set firewall rules and block lists to try and secure my network and I am a bit out of my depth. I had to reset my pfsense default allow all network traffic through lan because the ones I had set were messing with steam. Things I have done to help secure my network so far is set my dns to quad9 and set up block lists with pfblockerng. I found this website to be really helpful with that section.

The second question I had is how do I set up my wifi ap unit. I have an Ubiquiti unifi ap ac lite that I would like to use but I am a little confused on how I go about the setup. I am reading different posts on this and some people say you need to set it up in bridge mode or set up vlans. Would it be possible to set it up on an unmanaged switch as just an ap set a strong wifi password and connect to it or is that going to cause problems?

For those who don’t want to read my text wall
question#1 How can I make my network more secure.
question#2 How do I set up my Ubiquiti unifi ap ac lite with pfsense so I can get wifi
Helpful link I used

Okay so this is a pain because I’m on a phone. You need to get the AP powered up and a network connection. Personally I have a dedicated subnet space for wireless. But not required. After that, you either need the UniFi controller on a system. Or you can run the UniFi app and do setup that way. Personally I have the controller running. Makes it a lot easier to handle new APs or upgrades later. Just connect, adopt, wait, then it’s configured with all the wireless settings you established however long ago. So nice these “professional” tools are.


Just installing pfsense on your network makes it more secure. The best step beyond that you can take is create a deny all rule under the WAN.

To install your AP all you need to do it connect it to your network through the PoE injector and use the software on a hardwire connected workstation to set it up. Takes about 5 minutes.


To create that deny all rule:


I don’t use a rule like that because it’s mostly unneeded and only a step for the most paranoid. Also it breaks some xbox related stuff like remote turn on.

Firewall rules flow top to bottom, meaning that if a rule meets the requirements of an object it stops processing and goes with that rule.

1 Like

How are you setting up your firewall rules? In pfSense firewall rules are executed from top to bottom e.g. rules above take priority over those below and everything is explicitly blocked by default. Because of this you can set allow rules for the traffic you want to pass any everything else should be blocked. Also you should try and get very familiar with aliases and use them whenever possible. it will make managing the firewall so much easier especially when you start having a lot of firewall rules.

Guess that means upnp rules go at the bottom. I always assumed they went at the top.

The default action is to block all so an extra block all rule is redundant, and can lead to problems when you’re dealing with invisible rules that you can’t control their position in the rules stack.

Depends what you want to achieve. Generally speaking for regular use the default block all on wan allow all on lan is as secure as you’d want to be. But it depends what you want. You could set up the lan firewall to block everything and then only allow things that your specifically want allowed. But it’s a lot of work to figure out what you want to allow, especially for things like games. So for a home network you probably don’t want to set it up that way.

As for the AP, just plug it in to your LAN. You can have it on a second subnet if you like for security. Without a managed switch you would need an extra interface on pfsense that you could plug it in to, the you’d have to make firewall rules to do whatever you wanted to do.

I will probably just plug it into my lan because I do have extra ports on my router but their realtek and from what I read those are terrible with pfsense.

The way I initially set them up was disable allow any traffic rule for ipv4 and ipv6 on lan and in order
DNS (53)
http (80)
https (443)
ssh (22)
After that when I booted my desktop and launched steam it kept on not being able to connect at some points I could get it to work by closing it out from the task manger and re launching it. Yesterday I closed it out of the task manger 3 or 4 times and it still would not connect I disabled those rules and set allow any back up and it connected with out issue.

There are a whole bunch of other ports that steam needs

That is what I figured I will have to do more research on which ports to open and for what. As for what I need in terms of security I am in a bit of a unique situation where I don’t have to manage my network for anyone else just my self. I’m probably more focused on blocking add’s or add redirects, network intrusion from the outside which I guess blocking all traffic on the wan is a pretty good start I might look into Suricata or Snort.
The last thing which hopefully I will be able to build sometime this year is a server that will need to connect to the internet to get updates or so I can download different apps to it like samaba,zoneminder,vmware etc. but not be accessible to remote connection to the outside of my network. This will probably be my biggest hurdle.

Found here:

Yes, please be careful. It is easy to misconfigure your router and accidentally expose yourself.

Here is a good starting point. I use a Ubiquiti router, so the syntax might be a little different, but you can achieve the same (and more) on pfsense.

This assumes you trust everything on your LAN, you don’t want to limit how you can access services on the internet, and that you aren’t running any services that you want open to the internet.

WAN --> Router

Accept Valid Sessions
Accept ICMP
Deny All

Router --> WAN

Accept All

LAN --> Router

Accept All

Router --> LAN

Accept All


Accept Valid Sessions
Deny All


Accept all

Well it’s actually related to incoming ports to the xbox. Apparently when you select “wake up xbox” when you’re on your LAN it sends the wakeup packet to the xbox servers which then sends it to the xbox. The deny all rule breaks that… and the automatic updates and a couple of other services.

Edit: But I didn’t know the deny all rule was already there. That’s good to know… although I"m not a fan of invisible rules in firewalls. Checkpoint had something similar for their content filtering part of the firewall. I was able to get them to modify the OS to fix that for me because I had some specialty rules that conflicted with it on occasion.

Might need to add DHCP if you get your public IP that way. I honestly don’t remember if DHCP requires ports open in both directions or only one.

If you are talking about the need to add a firewall rule in Pfsence so you can setup your DHCP server no you don’t, if it needs to be done, the install program for Pfsense does that for you automatically. From limited experience, I had with Pfsense it automatically setup my DHCP Server the only thing I probably had to set up was my firewall rules, but since I only had one physical interface and was trying to set up VLANs to get around the fact I only have one physical interface I didn’t get very far before I gave up.

I meant if your ISP is using DHCP to assign your public IP.

You don’t require any open ports on wan, unless you are setting up port forwards. You don’t require any block rules on wan, because everything is already being blocked.

Not sure if you were replying to me, but I was referring to traffic between WAN and the router, not between WAN and LAN.

What you said is totally correct, I just want to clarify what I was saying.

Yeah I understand what you mean, but it doesn’t require any open ports for dhcp or anything like that. The only reason you would make an allow rule on wan is for a port forward.

Edit: seems weird though right? But it makes sense that the firewall rules would only apply once the interface has an IP address.