Welcome back, network warriors! ๐ŸŒŸ You’ve made it through the first part of the journey, where you set up pfSense, configured DHCP, and got everything running smoothly. Now it’s time to level up and turn your virtual fortress into an impenetrable stronghold. Let’s dive into firewall configurations, add some killer rules, and make sure your network is locked down tight. Ready? Let’s go! ๐ŸŽ‰

๐Ÿ›ก️Setting Up Firewall Rules (Because Security is Cool)

So, here’s where the real fun begins. Firewall rules are the heart of pfSense—this is where you decide who gets in, who stays out, and who gets to just pass by. Let’s create some rules to keep your network safe and sound.

1. Allow All LAN to WAN Traffic (Default):

  • pfSense typically allows all traffic from LAN to WAN by default.
  • This rule ensures that all devices on the LAN can access the internet.

To verify or add this rule:

  • Go to Firewall > Rules > LAN.
  • You should see a rule allowing all traffic from LAN to any destination.
  • If not, add a rule:
    • Action: Pass
    • Interface: LAN
    • Protocol: Any
    • Source: LAN net
    • Destination: Any
    • Save and Apply Changes


Block All Traffic from LAN to WAN Except HTTP/HTTPS:

  • This rule will block all outbound traffic from your LAN except web traffic (HTTP/HTTPS).

To add this rule:

  • Go to Firewall > Rules > LAN.
  • Add a new rule:
    • Action: Pass
    • Protocol: TCP
    • Source: LAN subnets
    • Destination: Any
    • Destination Port Range: HTTP (80) and HTTPS (443)
    • Save and Apply Changes
  • Move this rule to the top of the list.
  • Add another rule below this one to block all other traffic:
    • Action: Block
    • Protocol: Any
    • Source: LAN subnets
    • Destination: Any
    • Destination Port Range: 'any to any' or 'other to other'
    • Save and Apply Changes

Block Traffic to a Specific IP or Domain:

  • You can block access to a specific IP address or domain (e.g., blocking a known malicious site).

To add this rule:

  • First, we need to create an alias of the website (only necessary when the website has many IP addresses like for load balancer).
  • To create Alias, we have to go to Firewall/Aliases/IP
  • Click on add to add the rule
    • Name: BlockFacebook
    • Description: Blocking Facebook for users [P.S - No social media influencers were harmed in this article]
    • Type: Hosts
    • IP or FQDN: facebook.com
    • Give any description.
    • Save and Apply Changes
  • Then, go to Firewall > Rules > LAN.
  • Add a new rule:
    • Action: Block
    • Protocol: Any
    • Source: LAN subnets
    • Destination: Single Host or Alias
    • Destination Address: Enter the previously created Alias here.

Allow LAN to LAN Communication (Optional):

  • By default, devices on the same LAN can communicate with each other. You can explicitly allow or restrict this.

To add this rule:

  • Go to Firewall > Rules > LAN.
  • Add a new rule:
    • Action: Pass
    • Protocol: Any
    • Source: LAN subnets
    • Destination: LAN subnets
At the end your configurations should look similar like this

๐Ÿ”Testing Your Firewall Rules:

Let’s see pfSense in action! Time to test those firewall rules and make sure everything’s working as intended.

  1. HTTP/HTTPS Test: Jump into your Kali Linux VM and try accessing some websites. You should be able to browse the web without any issues. Success! ๐ŸŽ‰


  2. Non-HTTP/HTTPS Test: Now, try accessing other services like FTP or SSH. Blocked, right? Exactly as planned! pfSense is doing its job like a pro. ๐Ÿ’ช

  3. Blocking Facebook access: Try to go to facebook.com and it will try to load forever. No more 'quick checks' turning into hour-long scrolling sessions!"


๐ŸŽ“ Security Policies 101

With the basics out of the way, let’s talk security policies. These are the guidelines that ensure your firewall rules and overall network security stay top-notch.

Disable Unused Services

Less is more when it comes to services. Head over to Services and disable anything you don’t need running on your pfSense box. This reduces the attack surface and keeps things streamlined.

Secure the Web Interface

You don’t want just anyone getting into your pfSense web interface. Limit access to the LAN network only, and consider changing the default admin password to something super secure.

  1. Go to System > Advanced > Admin Access.
  2. Set the WebGUI to listen only on the LAN interface.
  3. Consider enabling HTTPS to encrypt your web interface traffic.

Keep an Eye on the Logs

Logs are your window into what’s happening in your network. Go to Status > System Logs and check out the firewall logs. You’ll see what’s being blocked, what’s allowed, and everything in between.

๐ŸŒ Step 11: Controlling Traffic Between Physical Devices and Virtual Subnets

Now that you’ve got your firewall rules down, let’s make sure your physical devices and virtual subnets are playing nice with each other.

  1. Set Up VLANs: If you want to segment your network further, set up VLANs (Virtual LANs) in Interfaces > Assignments > VLANs.

  2. Firewall Rules for VLANs: Add rules specific to your VLANs to control traffic between them. For example, you might allow traffic from a trusted VLAN to access the internet but block traffic from a guest VLAN.

NOTE: Creating VLAN isn't the scope of this article maybe some another time.

๐ŸŽ‰ Step 12: Final Thoughts and High-Fives All Around!

You did it! ๐ŸŽ‰ You've transformed from a pfSense newbie into a network security ninja. Your digital domain is now fortified like Fort Knox, but with better Wi-Fi.

But remember, young grasshopper, network security is more of a never-ending TV series than a movie. Keep binge-watching those security updates, tweaking those configurations, and most importantly—enjoy the thrill of outsmarting potential intruders!

Now, if you'll excuse me, I need to go update my "World's Best Network Admin" mug. Until our next adventure in the digital realm, keep your firewalls high and your ping times low. Happy Hacking! ๐Ÿ–ฅ️