Pfsense Basic Configuration

Escape Backslash
LAN Firewall
Now that the installation has been completed it’s time to create some firewall rules.
Adding Firewall Rules
Configure LAN Rules
The default for pfSense is to block all incoming connections on the WAN interface and to allow all incoming connections on the LAN interface. That is
any traffic initiated from the LAN is allowed through the firewall and any traffic hitting the WAN interface is dropped…
This section describes how to configure the LAN interface to only allow connections for specific services (DNS, NTP, Web, E-Mail, FTP, etc) and block
everything else initiated from the LAN.
System Admin Rules
Although pfSense has a default ‘Anti-lockout Rule’ it is not ideal as it allows port 80 and port 443 connections from anywhere and does not cover SSH.
A more secure approach will only allow HTTPS (Port 443) and SSH (Port 22) connections to the pfSense LAN address from only the clients on the LAN
network.
First an alias will need to be created for the management ports.

Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called ManagementPorts and specify the two ports.
Select Save and the Apply Changes.
Now create the actual rules:

Navigate to Firewall - Rules and select the LAN tab.
Select add a new Pass rule for TCP from the LAN Network to the LAN Address management ports (the alias created above).
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: LAN address
Destination port range (from): other - ManagementPorts
Description: Allow pfSense Management.
Select Save.
Select add a new Block rule for TCP from Anywhere to the LAN Address management ports (the alias created above).
Action: Reject
Interface: LAN
Source: any
Destination: port range (from): other - ManagementPorts
Log: Checked
Description: Block pfSense Management
Select Save.
Order the firewall rules to have the Pass rule at the top of the list and the Reject rule second.
converted by W eb2PDFConvert.com
Select Apply Changes.
Note: In the above screenshot the default ‘Anti-lockout Rule’ has been turned of. To do this (only after these rules are in-place) navigate to System -
Advanced and ‘check’ the Anti-lockout check box.
Select Save.
Progress Check
At this point any client computer on the LAN network should be able make either an SSH or HTTPS connection to the pfSense host.
DNS Rules
Force the use of the DNS servers specified in the Services - DHCP Server tab. The idea here is to ensure that only the DNS servers configured in
pfSense are used and that no client on the LAN can bypass that setting.
For this project OpenDNS provides external filtering and pfSense is configured to enforce it’s use by all LAN clients, the alias is named accordingly
First an alias will need to be created for the configured DNS server addresses:
Navigate to Firewall - Aliases and select the IP tab.
Create an alias called OpenDNS and specify the OpenDNS IP addresses.

Select add a new Pass rule for TCP/UDP from the LAN to OpenDNS (the alias created above) for DNS traffic.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): Single host or alias: other - OpenDNS
Destination: port range (from): DNS
Description: DNS Allow
Select Save.
Select add a new Block rule for TCP/IP from the LAN to Not to OpenDNS (the alias created above) for DNS traffic.
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Check the ‘not’ checkbox
Log: Checked
Description: DNS Block
Select Save.
Order the firewall rules to have the Pass rule before the Block rule, keeping the DNS rules together (one under the other).
Progress Check
At this point if any client computer has manually overridden the DNS settings provided by DHCP it will not be able to resolve domain names (normal web
browsing will not work).
NTP Rules
Allow any client computer on the LAN access to the Network Time Protocol, this will allow automatic clock synchronisation.
First an alias will need to be created for NTP (Port 123):

Create an alias called Time and specify the NTP port.

Select add a new Pass rule for TCP/UDP from the LAN to anywhere for Time (the alias created above) for NTP traffic.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - Time (the alias created above for NTP).
Description: Time Allow
Select Save.
Order the firewall rules to have the Time rule after the DNS rules.
Progress Check
Any client computer should be able to access their configured time source and synchronise their clocks.
Web Browsing Rules
Now that the basic system services are taken care of it’s time to allow any client computer on the LAN access to web browsing.
For web browsing only two ports are required port 80 for HTTP traffic and port 443 for HTTPS traffic. Only TCP is used for web browsing.
A specific rule for HTTP and HTTPS will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for HTTP (Port 80) and HTTPS (Port 443):
Create an alias called WebBrowsing and specify the two ports.

Select add a new Pass rule for TCP from the LAN to anywhere for WebBrowsing (the alias created above) for HTTP and HTTPS traffic.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: port range (from): other - WebBrowsing (the alias created above for web browsing).
Description: Web Allow
Select Save.
Order the firewall rules to have the Web rule after the Time rule.
Progress Check
Any client computer should be able to browse the internet.
E-Mail Rules
The second most popular thing will be to allow any client computer on the LAN access to e-mail.
For e-mail there are many ports to consider, ports 25 for SMTP, 465 and 587 for SMTP SSL. Then port 110 for POP3 and 995 for POP3 SSL. Finally port
143 for IMAP and 993 for IMAP SSL.
A specific rule for SMTP, POP3 and IMAP will be required once the default allow ‘LAN to Any’ rule is turned off.
For this project only the secure (SSL) ports will be enabled and all clients will be configured accordingly.
First an alias will need to be created for SMTP (Port 465 and 587), POP3 (Port 995) and IMAP (Port 993):
Create an alias called E-Mail and specify all the ports listed above.

Select add a new Pass rule for TCP from the LAN to anywhere for Email (the alias created above) for SMTP, POP3 and IMAP traffic.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: port range (from): other - EMail (the alias created above for e-mail traffic).
Description: E-Mail Allow
Select Save.
Order the firewall rules to have the E-Mail rule after the Web rule.
Progress Check
Any client computer should be able to send and receive E-Mail.
FTP Rules
FTP is a very old protocol that sends all communication in plain text including username and password, it is an insecure protocol don’t use it!
If there is no other option and FTP must be used there are several ports required, port 20 (FTP) and port 21 (FTP Control) or port 989 (FTPS) and port 990
(FTPS Control). Also if passive FTP is required then all ports numbered greater than 1024 and less than 65535 may need to be opened.
SFTP Rules
A better option is to use the SFTP (SSH File Transfer Protocol) as all communication is encrypted.
A specific rule for SSH will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for SSH (Port 22 is the default), depending on the configuration of the server additional ports may need to be added
(check with the server administrator). Although this could be configured without an alias, using one makes it easier to add ports later:
Create an alias called SSH and specify all the port listed above.

Select add a new Pass rule for TCP from the LAN to anywhere for SSH (the alias created above) for SSH traffic.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: port range (from): SSH (the alias created above for SSH traffic).
Description: SSH Allow
Select Save.
Order the firewall rules to have the SSH rule after the E-Mail rule.
Progress Check
Any client computer should be able to access SSH services.
Turn off the Default Allow Rules
Now that the “essential” services have specific rules it’s time to turn off the default allow rules.
Edit both the “Default allow LAN to any rule” and the “Default allow LAN IPv6 to any rule” and set them to “Reject” and enable “Log packets…”.
Monitor the Firewall Logs to see if anything that may be needed is being rejected by the LAN rules:
Navigate to Status - System Logs and select the Firewall tab.
Type LAN in the Interface field and then select Filter.
iMessage and FaceTime Rules
It didn’t take long to notice that specific rules where needed for these two popular Apple Services.
From the Apple support article Using FaceTime and iMessage behind a firewall it becomes clear that quite a few ports need to be opened.
The approach taken for this project is to create three aliases:

An IP alias for the address range 17.0.0.0/8 called Apple (Apple Address Range).
A Ports alias for port 5223 called AppleTCP (Apple TCP Services).
A Ports alias for ports 3478:3497, 16384:16387 and 16393:16402 called AppleUDP (Apple UDP Services).
And three firewall rules:

A Pass rule for TCP from the LAN to Apple (the alias created above) for AppleTCP (the alias created above).
A Pass rule for UDP from the LAN to anywhere for AppleUDP (the alias created above).
A Pass rule for UDP from the LAN for AppleUDP (the alias created above) to anywhere.
Resources
Below are several references that can can be useful when making decisions about firewall rules:
Ports used by Apple Products.
Ports used by Microsoft Windows.
Service Name and Transport Protocol Port Number Registry.
This concludes the LAN Firewall section…
© 2016 Contact
Escape Backslash
The Hardware
Selecting the hardware and installing the software, without this nothing can be done so lets get started…
Let the Fun Begin
Selecting the hardware
Choose a minimalist hardware specifications, have a look pfSense Hardware Requirements to find the best option.
For this project the following specifications are being used:

CPU - Celeron 2.4 Ghz.
RAM - 2 Gig.
HDD - 30 Gig.
DVD - CD-ROM.
Main-board - With integrated 100 Meg and Gigabit ethernet ports.
NIC - Dual port Gigabit Ethernet PCI card.
This gives more than enough hard-drive storage, plenty of RAM with three Gigabit ethernet ports for the internal (LAN, DMZ etc) interfaces and a 100 Meg
ethernet port for the external (WAN) port.
Installing the software
There is a detailed installation guide available on the pfSense document site Installing pfSense.
The basic steps are:

Download the ISO from Download pfSense.
Burn the ISO to CD.
Boot-up using the pfSense CD.
Follow the prompts.
Let The Fun Begin
Below are the options selected for this project (using pfSense 2.2):
Boot the PC from the pfSense CD.
When the “Welcome to pfSense!” screen is displayed select “1. Boot Multi User [Enter]” (or let the timer expire to install the default).
When prompted select “(I) Installer…” to install (if your not quick the timer will expire).
Graphical Installer Starts
Configure Console “Accept these Settings”.

Select Task “Custom Install”.
Select a Disk “ad0”
Format this Disk? “Format this Disk”.
Select Geometry “Use this Geometry”
ABOUT TO FORMAT! Proceed? “Format ad0”
Partition Disk? “Partition Disk”
Edit Partitions “Accept and Create”
Install Bootblock(s) “Accept and Install Bootblocks”.
Select a Partition “1:”.
Are you Sure? “OK”.
Select Subpartitions “Accept and Create”
Executing Commands (this could take a few minutes).
Install Kernel(s) “Standard Kernel”.
Reboot “Reboot”.
*** Remove the CD from the CD-ROM ***
The “Welcome to pfSense” menu should now be displayed, with the WAN (wan) set to em0 and the LAN (lan) set to em1 with the IP address
192.168.1.1/24.
Select “1) Assign interfaces”
Do you want to set up VLANs now [y|n] “y”
Enter the parent interface name for the new VLAN (or nothing if finished): Enter
Enter the WAN interface “fxp0”
Enter the LAN interface “em0”
Enter the Optional 1 interface “select nothing to finish: Enter
Do you want to proceed [y|n] “y”
*** Wait a minute or so and the menu will reappear ***
The “Welcome to pfSense” menu should now be displayed, with the WAN (wan) set to fxp0 and the LAN (lan) set to em0 with the IP address
192.168.1.1/24.
Setup the WAN and LAN interfaces:
Select “2) Set interface(s) IP address”

Select the WAN interface:
Configure IPv4 address WAN interface via DHCP? [y/n]: “n”

Set the WAN IPv4 to:
Address - 10.12.2.121
Subnet - 30 (255.255.255.252)
Gateway - 10.12.2.122
Configure IPv6 address WAN interface via DHCP? [y/n]: “n”
Enter the new WAN IPv6 address. Press for none: Enter
Do you want to revert to HTTP as the webConfigurator protocol? [y/n]: “n”
Press Enter to continue…
Select “2) Set interface(s) IP address”

Set the LAN interface:
Set the LAN IPv4 to:

Address - 192.168.36.121
Subnet - 27 (255.255.255.224)
Press Enter
Enter the new WAN IPv6 address. Press for none: Enter
Do you want to enable the DHCP server on LAN [y/n] “y”

Start - 192.168.36.97
End - 192.168.36.120
Do you want to revert to HTTP as the webConfigurator protocol? [y/n]: “n”
Press Enter to continue…
Select “5) Reboot system”.
That’s the basic installation completed, from this point onwards the keyboard and monitor can be removed as the rest of the configuration will be done
from the web-interface.
Open a web-browser on any computer that has access to the LAN port of this pfSense installation “https://192.168.36.121” and logon on to the web-
interface (Username: admin with the Password: pfsense).
Select “next” when presented with the setup wizard and then make the following changes:
Hostname: pfSense (no changes needed).

Domain: utm-domain.net
Primary DNS Server: 208.67.222.222
Secondary DNS Server: 208.67.220.220
Override DNS: “Deselect this”
Select “Next”
Set the Timezone.
Select “Next” for the Time Server Information (no changes needed).
Select “Next” for WAN information (no changes needed).
Select “Next” for LAN information (no changes needed).
Set and Admin password (don’t forget this)
Select Reload.
Continue on to the pfSense web-interface…
Check for Updates
From the web-interface menu select Status - Dashboard
Check the Version
If it displays Update Available, select Click Here to view the update.
Select Auto Update then Invoke Auto Upgrade.
This will take the system to the latest version available if any updates are available.
Note: Now is a good time to enable the Secure Shell Server (it will allow you to establish an SSH connection to this host). To do this navigate to System
- Advanced and ‘check’ the Secure Shell Server check box.
Select Save
© 2016 Contact
Escape Backslash
LAN DHCP Server
Configure the DHCP Servers for the LAN interface to control the range of dynamically assigned IP addresses and the available DNS Servers.
Finishing DHCP Configuration
Configure DNS Servers
Everything should be configures except the DNS Servers, as this network utilises OpenDNS as an external layer of protection their IP addresses need to
be specified here.
Want to learn more about OpenDNS.
Adding DNS Servers

Navigate to Services - DHCP Server and select LAN.
Enter the primary and secondary OpenDNS server addresses.
Select Save
Progress Check
At this point any client computer connected to the LAN interface should be automatically assigned an IP address and be able to connect to the
internet…
© 2016 Contact
Escape Backslash
LAN Firewall
Now that the installation has been completed it’s time to create some firewall rules.
Adding Firewall Rules
Configure LAN Rules
The default for pfSense is to block all incoming connections on the WAN interface and to allow all incoming connections on the LAN interface. That is
any traffic initiated from the LAN is allowed through the firewall and any traffic hitting the WAN interface is dropped…
This section describes how to configure the LAN interface to only allow connections for specific services (DNS, NTP, Web, E-Mail, FTP, etc) and block
everything else initiated from the LAN.
System Admin Rules
Although pfSense has a default ‘Anti-lockout Rule’ it is not ideal as it allows port 80 and port 443 connections from anywhere and does not cover SSH.
A more secure approach will only allow HTTPS (Port 443) and SSH (Port 22) connections to the pfSense LAN address from only the clients on the LAN
network.
First an alias will need to be created for the management ports.

Create an alias called ManagementPorts and specify the two ports.

Select add a new Pass rule for TCP from the LAN Network to the LAN Address management ports (the alias created above).
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination port range (from): other - ManagementPorts
Description: Allow pfSense Management.
Select Save.
Select add a new Block rule for TCP from Anywhere to the LAN Address management ports (the alias created above).
Action: Reject
Interface: LAN
Source: any
Destination: port range (from): other - ManagementPorts
Log: Checked
Description: Block pfSense Management
Select Save.
Order the firewall rules to have the Pass rule at the top of the list and the Reject rule second.
Note: In the above screenshot the default ‘Anti-lockout Rule’ has been turned of. To do this (only after these rules are in-place) navigate to System -
Advanced and ‘check’ the Anti-lockout check box.
Select Save.
Progress Check
At this point any client computer on the LAN network should be able make either an SSH or HTTPS connection to the pfSense host.
DNS Rules
Force the use of the DNS servers specified in the Services - DHCP Server tab. The idea here is to ensure that only the DNS servers configured in
pfSense are used and that no client on the LAN can bypass that setting.
For this project OpenDNS provides external filtering and pfSense is configured to enforce it’s use by all LAN clients, the alias is named accordingly
First an alias will need to be created for the configured DNS server addresses:
Navigate to Firewall - Aliases and select the IP tab.
Create an alias called OpenDNS and specify the OpenDNS IP addresses.

Select add a new Pass rule for TCP/UDP from the LAN to OpenDNS (the alias created above) for DNS traffic.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Description: DNS Allow
Select Save.
Select add a new Block rule for TCP/IP from the LAN to Not to OpenDNS (the alias created above) for DNS traffic.
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Check the ‘not’ checkbox
Log: Checked
Description: DNS Block
Select Save.
Order the firewall rules to have the Pass rule before the Block rule, keeping the DNS rules together (one under the other).
Progress Check
At this point if any client computer has manually overridden the DNS settings provided by DHCP it will not be able to resolve domain names (normal web
browsing will not work).
NTP Rules
Allow any client computer on the LAN access to the Network Time Protocol, this will allow automatic clock synchronisation.
First an alias will need to be created for NTP (Port 123):

Create an alias called Time and specify the NTP port.

Select add a new Pass rule for TCP/UDP from the LAN to anywhere for Time (the alias created above) for NTP traffic.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination: port range (from): other - Time (the alias created above for NTP).
Description: Time Allow
Select Save.
Order the firewall rules to have the Time rule after the DNS rules.
Progress Check
Any client computer should be able to access their configured time source and synchronise their clocks.
Web Browsing Rules
Now that the basic system services are taken care of it’s time to allow any client computer on the LAN access to web browsing.
For web browsing only two ports are required port 80 for HTTP traffic and port 443 for HTTPS traffic. Only TCP is used for web browsing.
A specific rule for HTTP and HTTPS will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for HTTP (Port 80) and HTTPS (Port 443):
Create an alias called WebBrowsing and specify the two ports.

Select add a new Pass rule for TCP from the LAN to anywhere for WebBrowsing (the alias created above) for HTTP and HTTPS traffic.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: port range (from): other - WebBrowsing (the alias created above for web browsing).
Description: Web Allow
Select Save.
Order the firewall rules to have the Web rule after the Time rule.
Progress Check
Any client computer should be able to browse the internet.
E-Mail Rules
The second most popular thing will be to allow any client computer on the LAN access to e-mail.
For e-mail there are many ports to consider, ports 25 for SMTP, 465 and 587 for SMTP SSL. Then port 110 for POP3 and 995 for POP3 SSL. Finally port
143 for IMAP and 993 for IMAP SSL.
A specific rule for SMTP, POP3 and IMAP will be required once the default allow ‘LAN to Any’ rule is turned off.
For this project only the secure (SSL) ports will be enabled and all clients will be configured accordingly.
First an alias will need to be created for SMTP (Port 465 and 587), POP3 (Port 995) and IMAP (Port 993):
Create an alias called E-Mail and specify all the ports listed above.

Select add a new Pass rule for TCP from the LAN to anywhere for Email (the alias created above) for SMTP, POP3 and IMAP traffic.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: port range (from): other - EMail (the alias created above for e-mail traffic).
Description: E-Mail Allow
Select Save.
Order the firewall rules to have the E-Mail rule after the Web rule.
Progress Check
Any client computer should be able to send and receive E-Mail.
FTP Rules
FTP is a very old protocol that sends all communication in plain text including username and password, it is an insecure protocol don’t use it!
If there is no other option and FTP must be used there are several ports required, port 20 (FTP) and port 21 (FTP Control) or port 989 (FTPS) and port 990
(FTPS Control). Also if passive FTP is required then all ports numbered greater than 1024 and less than 65535 may need to be opened.
SFTP Rules
A better option is to use the SFTP (SSH File Transfer Protocol) as all communication is encrypted.
A specific rule for SSH will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for SSH (Port 22 is the default), depending on the configuration of the server additional ports may need to be added
(check with the server administrator). Although this could be configured without an alias, using one makes it easier to add ports later:
Create an alias called SSH and specify all the port listed above.

Select add a new Pass rule for TCP from the LAN to anywhere for SSH (the alias created above) for SSH traffic.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: port range (from): SSH (the alias created above for SSH traffic).
Description: SSH Allow
Select Save.
Order the firewall rules to have the SSH rule after the E-Mail rule.
Progress Check
Any client computer should be able to access SSH services.
Turn off the Default Allow Rules
Now that the “essential” services have specific rules it’s time to turn off the default allow rules.
Edit both the “Default allow LAN to any rule” and the “Default allow LAN IPv6 to any rule” and set them to “Reject” and enable “Log packets…”.
Monitor the Firewall Logs to see if anything that may be needed is being rejected by the LAN rules:
Navigate to Status - System Logs and select the Firewall tab.
Type LAN in the Interface field and then select Filter.
iMessage and FaceTime Rules
It didn’t take long to notice that specific rules where needed for these two popular Apple Services.
From the Apple support article Using FaceTime and iMessage behind a firewall it becomes clear that quite a few ports need to be opened.
The approach taken for this project is to create three aliases:

An IP alias for the address range 17.0.0.0/8 called Apple (Apple Address Range).
A Ports alias for port 5223 called AppleTCP (Apple TCP Services).
A Ports alias for ports 3478:3497, 16384:16387 and 16393:16402 called AppleUDP (Apple UDP Services).
And three firewall rules:

A Pass rule for TCP from the LAN to Apple (the alias created above) for AppleTCP (the alias created above).
A Pass rule for UDP from the LAN to anywhere for AppleUDP (the alias created above).
A Pass rule for UDP from the LAN for AppleUDP (the alias created above) to anywhere.
Resources
Below are several references that can can be useful when making decisions about firewall rules:
Ports used by Apple Products.
Ports used by Microsoft Windows.
Service Name and Transport Protocol Port Number Registry.
This concludes the LAN Firewall section…
© 2016 Contact
Escape Backslash
Traffic Control
Prioritise traffic in an attempt to optimise the client machines network experience (make web browsing more responsive).
Traffic Shaping and Queuing
What is Traffic Shaping and Queuing
Traffic shaping is used to optimise or guarantee performance, improve latency, and/or increase usable bandwidth for some kinds of packets by delaying
others.
For more details have a look at this Traffic Shaping Wikipedia article.
Know Your Connection Speeds
Before you can implement traffic shaping the Upload and Download connection speeds to the ISP must be known.
From interrogating the modem for this network the Upstream Line Rate was found to be 1020 Kbps and a Downstream 19999 Kbps. Be careful using line
rates in your traffic shaping rules as they most likely don’t account for L1/L2 and TCP/IP overheads (approximately 20% for ADSL).
It’s also a good idea to check the connection speed from your network to the ISP, most ISPs will have a speed check utility.
ISP Speed Test

Upstream - 810 Kbps
Downstream - 15145 Kbps
As a last resort a speed check to “somewhere on the internet” might give you an idea…
SpeedOf.Me
Upstream - 870 Kbps
Downstream - 12.86 Mbps
Traffic shaping requires pfSense to drop packets, so it's very important not to set the upper limits higher than they actually are. If pfSense is not dropping
packets then they will be dropped by the ISP and no local shaping will occur.
For this project the ISP Speed Test values will be used in the pfSense Traffic Shaper rules…
Getting Started
The easiest way to get started is to use one of the Traffic Shaper Wizards.
Navigate to Firewall - Traffic Shaper and select Wizards.
Open the Multiple Lan/Wan wizard.
Set one WAN port and one LAN port then select Next.
Select HFSC for both interfaces.

Enter the Upload and Download speeds for your ISP connection and select Next.
Select Next for the following page (unless you use any of these service).
Voice over IP
Penalty Box
Peer to Peer networking
Network Games
Select Enable on the Raise or lower other Applications page.

Then make the following selections:
FaceTime - Higher priority (if you use Apple FaceTime).
HTTP - Higher priority
SMTP - Lower priority
POP3 - Lower priority
IMAP - Lower priority
DNS - Higher priority
Leave everything else as Default priority.
These settings should give client machines a better browsing experience and set e-mail to lesser priority to “work in the back ground”.
Select Next then Finish.
Progress Check
At this point there will have been some Floating Firewall Rules created and some Traffic Shaper Queues assigned to the LAN and WAN interfaces.
To see the Firewall Rules navigate to Firewall - Rules and select the Floating tab.
To see the Queues navigate to Firewall - Traffic Shaper.
To monitor the traffic shaper queue status navigate to Status - Queues.
Tweak the Queues
Due to the huge difference between the Upstream and Downstream speeds some tweaking is called for.
First set the WAN Interface to match the actual WAN hardware (100 Mbit):
Navigate to Firewall - Traffic Shaper then select WAN.
Change the Bandwidth to 100 Mbits/s.
Select Save and then Apply Changes.
Leave ‘qInternet’ as it is at 810 Kbit/s as that matches the measured Upstream value from “Know Your Connection Speed” above.
Next as most of the WAN traffic will be TCP ACKs increase the bandwidth percentage of ‘qACK’:
Select qACK.
Change the Bandwidth and B/W share to 70%.
Select Save and then Apply Changes.
Leave all ‘qDefault’, “qOthersHigh’ and ‘qOthersLow’ as the default values set by the wizard.
Next set the LAN Interface to match the actual LAN hardware (1 Gbit):
Navigate to Firewall - Traffic Shaper then select LAN.
Change the Bandwidth to 1 Gbits/s.
Select Save.
.
Select Save.
.
Progress Check
At this point ….
At this point ….
Resources
Below are several references that can can be useful when making decisions about traffic shaping rules:
This concludes the Traffic Shaping and Queuing section…
© 2016 Contact

Pfsense Basic Configuration

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Pfsense Basic Configuration

Diunggah oleh

Hak Cipta:

Format Tersedia

Escape Backslash

Adding Firewall Rules

Configure LAN Rules

System Admin Rules

First an alias will need to be created for the management ports.

Select Save and the Apply Changes.

Now create the actual rules:

Select Save and the Apply Changes.

Now create the actual rules:

First an alias will need to be created for NTP (Port 123):

Select Save and the Apply Changes.

Now create the actual rules:

Select Apply Changes.

Web Browsing Rules

Now create the actual rules:

Select Apply Changes.

Any client computer should be able to browse the internet.

Select Save and the Apply Changes.

Now create the actual rules:

Select Apply Changes.

Any client computer should be able to send and receive E-Mail.

Select Save and the Apply Changes.

Now create the actual rules:

Select Apply Changes.

Any client computer should be able to access SSH services.

Turn off the Default Allow Rules

iMessage and FaceTime Rules

The approach taken for this project is to create three aliases:

And three firewall rules:

This concludes the LAN Firewall section…

Let the Fun Begin

Selecting the hardware

For this project the following specifications are being used:

Installing the software

The basic steps are:

Let The Fun Begin

Configure Console “Accept these Settings”.

*** Remove the CD from the CD-ROM ***

*** Wait a minute or so and the menu will reappear ***

Setup the WAN and LAN interfaces:

Select “2) Set interface(s) IP address”

Configure IPv4 address WAN interface via DHCP? [y/n]: “n”

Select “2) Set interface(s) IP address”

Set the LAN IPv4 to:

Do you want to enable the DHCP server on LAN [y/n] “y”

Select “5) Reboot system”.

Hostname: pfSense (no changes needed).

LAN DHCP Server

Finishing DHCP Configuration

Configure DNS Servers

Want to learn more about OpenDNS.

Adding DNS Servers

Adding Firewall Rules

Configure LAN Rules

System Admin Rules

First an alias will need to be created for the management ports.

Select Save and the Apply Changes.

Now create the actual rules:

Select Save and the Apply Changes.

Now create the actual rules:

First an alias will need to be created for NTP (Port 123):

Select Save and the Apply Changes.

Now create the actual rules:

Select Apply Changes.

* Remove the CD from the CD-ROM *

* Wait a minute or so and the menu will reappear *