pfSense is one of the most popular and advanced firewall and VPN solutions based on FreeBSD, widely used in both enterprise and home environments to secure networks and manage VPN connections. This guide will walk you through configuring pfSense as both a firewall and VPN to ensure a reliable and secure system for your network.

Prerequisites

Before starting, make sure you have:

  • pfSense installed and configured on your hardware or in a virtual machine.
  • Access to the pfSense web interface.
  • Basic knowledge of networking and firewalls.

1. Configuring pfSense as a Firewall

The firewall is the foundational layer of protection that pfSense provides for the network. Let’s walk through how to configure its main features.

1.1 Access the pfSense Web Interface

To start, open a web browser and access the pfSense web interface through the device’s assigned IP address (e.g., https://192.168.1.1). Once logged in, use the default administrator credentials or your custom ones if previously changed.

1.2 Set Up Network Interfaces

Ensure the network interfaces are correctly configured. In Interfaces > Assign Interfaces, you should see a list of both WAN and LAN interfaces. The WAN interface represents the Internet connection, while LAN is the internal interface for devices on the local network.

1.3 Set Basic Firewall Rules

Go to Firewall > Rules and select the interface you want to add rules to, usually the LAN interface.

  1. Create an Allow Rule: Most standard LAN configurations allow outbound traffic (from LAN to WAN) but block inbound traffic. You can set a rule that allows all internal traffic from LAN to the Internet:
    • Go to Firewall > Rules > LAN > Add Rule.
    • Set Action to Pass.
    • Set Source to LAN net and Destination to any.
    • Save and apply the rule.
  2. Block Unauthorized Incoming Traffic: By default, pfSense blocks inbound connections on the WAN interface to protect your network, so there’s no need to manually configure this rule.
1.4 Configure Advanced Rules (Optional)

For more control, you can also configure rules to restrict specific protocols (e.g., only HTTP and HTTPS) or block access to specific websites using aliases (a feature that allows you to define groups of IP addresses or URLs).

  1. Creating an Alias to Block Specific Sites:
    • Go to Firewall > Aliases > Add.
    • Assign a name and add the IP addresses or URLs of the websites you wish to block.
    • In Firewall > Rules > LAN, create a new rule, setting Source to LAN net, Destination to the new alias, and Action to Block.

2. Configuring pfSense as a VPN

Beyond its firewall capabilities, one of pfSense’s main features is VPN support, allowing you to establish secure connections between devices and networks. The two most common VPN options in pfSense are OpenVPN and IPsec.

2.1 Configuring OpenVPN

OpenVPN is widely popular because it offers flexible configuration and broad compatibility. Here’s how to set it up:

  1. Set Up the CA Certificate:
    • Go to System > Cert Manager > CAs and click Add.
    • Enter a name and details for the Certificate Authority (CA), which will be used to sign client and server certificates.
    • Save the CA.
  2. Create the Server VPN Certificate:
    • Go to System > Cert Manager > Certificates and click Add.
    • Select Server as the certificate type and assign the certificate to the CA created in the previous step.
    • Save the certificate.
  3. Configure the OpenVPN Server:
    • Go to VPN > OpenVPN > Servers and click Add.
    • Set the server type to Peer to Peer (SSL/TLS).
    • Select the CA and server certificate you just created.
    • Configure the listening port (by default, OpenVPN uses port 1194).
    • In Tunnel Network, enter an IP range for the VPN tunnel (e.g., 10.0.8.0/24).
    • Set Local Network to your LAN IP range (e.g., 192.168.1.0/24).
    • Save and apply the settings.
  4. Create VPN Users:
    • Go to System > User Manager and click Add User.
    • Create a new user and grant VPN permissions.
    • Assign a user certificate by selecting the CA created earlier.
  5. Configure the VPN Client:
    • Go to VPN > OpenVPN > Client Export and download the configuration file for your device (e.g., .ovpn for Windows or Android).
    • Install the OpenVPN client on your device and import the configuration file.
2.2 Configuring IPsec VPN (Optional)

If you prefer to use IPsec, follow these steps:

  1. Set Up Phase 1 (IKE):
    • Go to VPN > IPsec > Tunnels and click Add Tunnel.
    • Configure the Remote Endpoint and choose your preferred encryption.
    • Set the authentication protocol and key type.
  2. Configure Phase 2 (Policies):
    • After configuring Phase 1, add Phase 2 to set traffic policies, source and destination networks.
    • Apply and save your configurations.

3. Testing and Verifying the VPN Connection

Once the VPN is configured, it’s essential to test the connection to ensure everything works properly.

  • For OpenVPN: Start the VPN client and attempt to connect to the server. Check that your device’s IP changes and that you have access to the internal network.
  • For IPsec: Connect the client and verify access to the internal network.

If issues arise, check the logs in Status > System Logs > OpenVPN or IPsec for any errors.

4. Configure Firewall Rules for VPN

To ensure the VPN functions properly, configure firewall rules to allow VPN traffic. Go to Firewall > Rules > OpenVPN (or IPsec) and add a Pass rule to allow traffic to the internal network.

5. Other Useful pfSense Features

pfSense offers several advanced features that can enhance security and control over your network:

  • Captive Portal: Configure a login page for network users.
  • IDS/IPS: Use intrusion detection and prevention systems like Snort or Suricata.
  • Traffic Shaper: Manage and optimize the available bandwidth.

Conclusion

Setting up pfSense as a firewall and VPN provides a flexible, robust solution for network management, ensuring both protection and advanced control. With this guide, you’ve set up firewall rules to secure your internal network and created a VPN connection for secure remote access. pfSense is a highly customizable platform that allows you to tailor the configuration to your network infrastructure’s specific needs.


Hope this helps! Let me know if there are any other specific details you’d like added.

Content related to: Configuring pfSense as a Firewall and VPN

Some completed projects

How did I approach the various needs

Configuring pfSense as a Firewall and VPN: Progetto IBSA

The client’s need was to manage the critical issues of the multiple sites in terms of security, evolutionary development and management…

Configuring pfSense as a Firewall and VPN: Progetto MotorstoreTP

For this client, work was done to optimize the company database, the development of an ecommerce platform on Magento

Configuring pfSense as a Firewall and VPN: Progetto Gemmo

Together with the client Muller, we designed a web application that would allow customers to participate in a photography competition…

valtur
24ore business school
Francesconi
rsi
Enel Group
logo endovet
Fastweb
mobilia
ketchUP
Stra-le
img-internet
snam
creditfinanz
Muzzi cachemire
logo alma
logo macrolux
setonix logo