pfSense Firewall

skada · January 10, 2021, 12:10am

I installed pfsense on a computer that I want to put between my ISP router and a switch. If I want to just use it as a firewall how would I set it up? From my understanding I would need to disable DHCP and setup DHCP relay for the LAN right? Are there any other things I need to do so it works?

Buffy · January 10, 2021, 3:18am

We use OPNsense, which is pretty similar (it’s a fork), but here’s a good video on pfSense. It’s long, but I think it’s worthwhile to understand thoroughly.

NZSNIPER · January 10, 2021, 4:21am

Why would you not bridge your ISP router?

skada · January 10, 2021, 2:54pm

I want to keep it separate from family devices so I don’t want it to do routing for everybody.

Buffy · January 10, 2021, 3:36pm

So, are you saying you want family devices on one network and your own stuff on another and for them to be separate and not talk to each other?

If it is, the way we did it is that we have a multi-port intel ethernet card on the firewall/router (OPNsense).

Port 0 goes to the ISP cable modem and is the WAN connection.

Port 1 goes to our local gigabit switch for our LAN; everything is wired. Address space is separate from the WIFI network (example: 192.168.0.1/24)

Port 2 goes to a WAP that our tablets and dad’s phone can connect to to get internet access. Also any visitors can (with a password) connect to it to get internet. This network has a separate address space from the LAN. (example: 192.168.1.1/24)

The firewall rules we set don’t allow communication between the WIFI network and our LAN.

If your family also has wired devices, you can connect a switch to Port 2 and connect the WAP to that switch, then they can have both WIFI and wired.

Our LAN has DNS and DHCP provided by a Synology NAS, but you could use whatever for that. The DNS forwards to the ISP.

The WIFI network has DHCP provided by OPNsense on that port (Port 2). It just provides DNS forwarding to the ISP and doesn’t see our LAN’s DNS.

@PhaseLockedLoop has a pretty interesting and comprehensive post about their network setup, which is a lot more than you’re looking for, but still really educational and I think will give you some context too.

Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech Community Blog

Post purpose: To blog my continued exploration, difficulty, frustrations, blood, sweat, tears, rewards and happiness in experimenting with as open hardware as I can find within reason to do most of my cloud stuff at home. Occasional discussion of my projects ran on the server or devices will be talked about. Basically JAB (Just another blog) A little theme music: [Cinephile - Comatose] It has long come time to be the architect of my own set of network hardware, cloud and NAS. [tenor] In any case for the longest time I wanted to move away from the growing technological cloud onto something I created. I wanted to do this across all my devices but Android without google for example is rather terrible (and lol still is). I digress lets get into a brainstorm of the plan. [image] Government botnet= Telework system. I am an engineer for the Department of Defense. The ryzen server (planned) The ryzen system supports 6 drives. So when I turn it into a server my ultimate plan is the following: 6 8 tb drives - RAID6. Shucking drives from WD Easystores seems to be the cheapest route and 8 tb is the price sweet spot atm. Excluding the amazing deal on 16 TB EXOS drives recently. @wendell @SgtAwesomesauce you are the Subject Matter Experts on this. ZFS or RAID6? I am thinking RAID6 but I will be upgrading to the full 64 GB of RAM so ZFS would be doable with its advanced features. Management software: [image] Reason over unraid: I dont want to pay Reason over proxmox: My primary focus is not VM’s. This software is more well rounded imho Reason over truenas: I do still want to do VMs and truenas is less than intuitive here. Thanks @Novasty for letting me stress-NG LOL I mean test out cockpit on your systems. Its really nice. It will simplify my multi system management. That is the end goal its not just a single host system here! OS of Choice: CentOS 8 https://wiki.centos.org/ System Specifications (When built) Ryzen 7 1700X GPU: GTX 980 Ti…

Shadowbane · January 10, 2021, 5:38pm

I keep all the family network traffic off my network and still get internet traffic to my network; all I had to do was connect my Netgate SG-5100 appliance to the family router and turn on the Netgate SG-5100 appliance. What surprised me was the SG-5100 appliance did all the basic configurations automatically. I will be writing a guide on accomplishing the goal @skada wants to fulfill as soon as I figure out the best default firewall rules and get my random thoughts into a concise and coherent format. When It is ready, I will post it at the following post.

(Shadowbane"s Networking Journy)

skada · January 10, 2021, 7:20pm

This is what I am trying to set up basically. Kind of like a DMZ. PfSense between my computer and the ISP router. I want the ISP router as the DHCP and DNS server. I don’t really have a specific reason as to why I want to do this other than I just want to experiment with the pfSense firewall. Is this possible without having to do double NAT or having two separate networks?

Buffy · January 10, 2021, 7:31pm

Well, to do it like that you can have your pfSense not do NAT.

PhaseLockedLoop · January 10, 2021, 7:55pm

The easiest way this was done for me was segregating the ports off into subnets

LAN 1 was my next week 10.31.82.x IP6 7141 prefix
OPT 1 unused
OPT 2 10.31.83.x (government computer). IP6 7142 prefix
WG 10.31.84.x with IP6 LL and routed

Then all you have to do in the rules is make sure they don’t talk to each other (if you wish to isolate) and voila. Done routing for LAN and the other interfaces can all be done different with different router advertisements and not interfere with each other unless you designate specific routes

Thanks buffy for the share

ISPs do give you subnets for this. You can play around with VLAN tagging there’s a lot of ways to do what you are asking.

PhaseLockedLoop · January 10, 2021, 8:21pm

Ahh I didn’t see this until I scrolled…

That’s interesting. Honestly I would have bought an AP and put it on the pfsense and bridge moded the modem but you can do it this mode.

Bridge the firewall so it’s firewal only no routing. Everything goes in it like a HOP. the firewall just determines what can get through that hop

Trooper_ish · January 10, 2021, 8:21pm

I separated my network from the family network with a pi, using dnsmasq and forwarding ports, but it does not use pfsense/BSD, only linux.

The guide I used was below, but iirc, it’s basically just like subnetting, rather than some strong tunnel to an external endpoint

github.com

garyexplains/examples/blob/master/raspberry_pi_router.md

## Assumption
You have Raspian installed on your Pi and that its primary LAN (_eth0_) is configured to use DHCP. It will likely get its address information from your Internet modem/routers. I assume you can connect to it over _eth0_.

## Install dnsmasq
From the command line, run `sudo apt install dnsmasq` to install dnsmasq. Stop it, for now, with `sudo systemctl stop dnsmasq`

## Static IP for eth1
Now set a static IP address for the second ethernet connection (_eth1_). Edit _/etc/dhcpcd.conf_ with `sudo nano /etc/dhcpcd.conf`. Go to the end of the file and edit it so that it looks like the following:
```
interface eth1
    static ip_address=192.168.7.1/24
```

## Configure dnsmasq
Discard the old conf file and create a new configuration:
```
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo nano /etc/dnsmasq.conf
```
Add these lines:

This file has been truncated. show original

edit: I meant to paste the link to this: