Setting up pfSense

Home
Author: avolent
Updated on: May 2024
/homelab/setting up pfsense

Summary

The following page goes over how I configure my pfSense at home and what steps it takes to get there.

Assumptions

Contents

  1. Useful Links
  2. Initial Setup
  3. UPNP
  4. Port Forwarding
  5. References

Default Pfsense Login

Username: admin
Password: pfsense

Initial Setup

Useful video for setup of pfsense and basic settings. 1

1. /System/Advanced/Admin Access

Enable Display page name first in browser tab.
Enable Secure Shell if required.

2. /Advanced/Firewall & NAT

Update Firewall Maximum Table Entries to 10,000,000.
Enable IP Random id generation.

3. /Advanced/Misc

Enable PowerD.
Enable Cryptographic Hardware.
Enable Thermal Sensors.
Enable Do NOT send Netgate Device ID with user agent.

4. /System/General Setup

Theme = pfsense Dark.
Top Navigation = Fixed.
Dashboard Columns = 3.

5. /System/Package Manager/Available Packages

darkstat (Optional)
iperf (Optional)
nmap (Optional)
pfblockerng-devel (Important)

6. /System/User Manager/Users

Add a new local user and attach them to the administrator group.
Log out and log into the new user.

8. /Interfaces/WAN

Changing port assignments can be done in /Interfaces/Assignments.
Most things are fine as default in here.
If you need/want IPV6 change DHCPv6 Prefix Delegation size to the size your internet provider has given you.

7. /Services/DHCP Server/LAN

Enable Change DHCP display lease time from UTC to local time (Do the same for IPv6).
Assign your Static IP addresses.

8. /Services/DNS Resolver/General Settings

Enable DNSSEC Support.
Enable Python Module (Leave the settings default) If you want regex blocking.

9. /Services/Dynamic DNS/Dynamic DNS Clients

Create a Cloudflare ddns client.

10. /Firewall/pfBlockerNG 2

CRON Settings = Once a day.

11. /Firewall/pfBlockerNG/IP - Make Sure You Force Reload at the End to save Changes

Enable Floating Rules.
Enable Kill States.
Add MaxMind License Key.

12. /Firewall/pfBlockerNG/DNSBL

DNSBL Mode = Unbound Python Mode If you want regex blocking.
Regex Blocking = Enable.
DNSBL IPs - List Action = Deny Both.
Add all your feeds and enable them.

MAKE SURE YOU UPDATE/RELOAD ALL TO MAKE SURE CHANGES ARE ACTIVE!!

If you get an error about running out of memory, this could be related to your firewall maximum table entry size. Since pfblockerNG is using a lot of rules you may need to increase even more as seen in a previous step. 3

PFBlockerNG Feeds

The following feeds are what I currently use!

PRI1
PRI2
PRI1_6
Easylist
ADs
AD_Basic
Cryptojackers
Firebog_Advertising

UPNP

Configuring the following is great for devices which have strict NAT type when playing games.
Device used in this example is a Nintendo Switch 4.

1. /Services/DHCP Server/LAN

Assign device a static IP.

2. /Services/UPnP & NAT-PMP

Enable the following:
UPnP & NAT-PMP
Allow UPnP Port Mapping
Allow NAT-PMP Port Mapping
Log packets handled by UPnP & NAT-PMP rules.
Deny access to UPnP & NAT-PMP by default.

Within ACL Entries add the device configured with the static IP like so.
allow 53-65535 192.168.1.246/32 53-65535

3. /Firewall/NAT/Outbound

Configure your Outbound NAT mode to Hybrid
Add the following rule.
Interface: WAN
Address Family: IPv4 + IPv6 (IPv4 only if IPv6 not enabled)
Protocol: Any
Source: Network | deviceip/32 | no port range
Destination: Any
Translation Address: Interface Address
Translation Port or Range: Empty | Check the static box

Then add a description to this rule.

Your device should now have a better NAT Type when playing games.

Port Forwarding

Port forward so that you can host games on your internal network and share with your friends externally.

1. /Firewall/NAT/Port Forward

Add a rule for a port you would like to forward.
Interface: WAN
Address Family: IPv4 (Unless you need IPv6)
Protocol: TCP / UDP or Both
Destination: WAN
Destination Port Range: Either a single port or a range. (This is the external port that will be connected too.)
Redirect IP: The device IP hosting the server.
Redirect Target Port: This is the port in which your server is using. (Multiple rules required for multiple ports.
Description: Description for the rule.
Filter rule association: Add associated filter rule.

Save the rule.

These ports should now be open to internet. BE CAREFUL and open only what is needed. Block unnecessary global subnets etc via PFBlockerNG.

Buffer Bloat

todo
5

Wireguard

todo
6

VLANs

todo

References

Footnotes

  1. 2020 Pfsense Setup by Lawrence Systems

  2. pfblockerng Setup by Lawrence Systems

  3. Firewall Table limit Issue

  4. How to get open NAT

  5. Buffer Bloat by Lawrence Systems

  6. Wireguard Setup by Lawrence Systems

CSS is from Latex.css | Wiki built by avolent.io | Repository located on Github

Return to top