LAN Firewall
Now that the installation has been completed it’s time to create some firewall rules.
The default for pfSense is to block all incoming connections on the WAN interface and to allow all incoming connections on the LAN interface. That is
any traffic initiated from the LAN is allowed through the firewall and any traffic hitting the WAN interface is dropped…
This section describes how to configure the LAN interface to only allow connections for specific services (DNS, NTP, Web, E-Mail, FTP, etc) and block
everything else initiated from the LAN.
Although pfSense has a default ‘Anti-lockout Rule’ it is not ideal as it allows port 80 and port 443 connections from anywhere and does not cover SSH.
A more secure approach will only allow HTTPS (Port 443) and SSH (Port 22) connections to the pfSense LAN address from only the clients on the LAN
network.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: LAN address
Destination port range (from): other - ManagementPorts
Description: Allow pfSense Management.
Select Save.
Select add a new Block rule for TCP from Anywhere to the LAN Address management ports (the alias created above).
Action: Reject
Interface: LAN
Source: any
Destination: LAN address
Destination: port range (from): other - ManagementPorts
Log: Checked
Description: Block pfSense Management
Select Save.
Order the firewall rules to have the Pass rule at the top of the list and the Reject rule second.
converted by W eb2PDFConvert.com
Select Apply Changes.
Note: In the above screenshot the default ‘Anti-lockout Rule’ has been turned of. To do this (only after these rules are in-place) navigate to System -
Advanced and ‘check’ the Anti-lockout check box.
Select Save.
Progress Check
At this point any client computer on the LAN network should be able make either an SSH or HTTPS connection to the pfSense host.
DNS Rules
Force the use of the DNS servers specified in the Services - DHCP Server tab. The idea here is to ensure that only the DNS servers configured in
pfSense are used and that no client on the LAN can bypass that setting.
For this project OpenDNS provides external filtering and pfSense is configured to enforce it’s use by all LAN clients, the alias is named accordingly
First an alias will need to be created for the configured DNS server addresses:
Navigate to Firewall - Aliases and select the IP tab.
Create an alias called OpenDNS and specify the OpenDNS IP addresses.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): Single host or alias: other - OpenDNS
Destination: port range (from): DNS
Description: DNS Allow
Select Save.
Select add a new Block rule for TCP/IP from the LAN to Not to OpenDNS (the alias created above) for DNS traffic.
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): Single host or alias: other - OpenDNS
Check the ‘not’ checkbox
Destination: port range (from): DNS
Log: Checked
Description: DNS Block
Select Save.
Order the firewall rules to have the Pass rule before the Block rule, keeping the DNS rules together (one under the other).
converted by W eb2PDFConvert.com
Select Apply Changes.
Progress Check
At this point if any client computer has manually overridden the DNS settings provided by DHCP it will not be able to resolve domain names (normal web
browsing will not work).
NTP Rules
Allow any client computer on the LAN access to the Network Time Protocol, this will allow automatic clock synchronisation.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - Time (the alias created above for NTP).
Description: Time Allow
Select Save.
Order the firewall rules to have the Time rule after the DNS rules.
Progress Check
Any client computer should be able to access their configured time source and synchronise their clocks.
Now that the basic system services are taken care of it’s time to allow any client computer on the LAN access to web browsing.
For web browsing only two ports are required port 80 for HTTP traffic and port 443 for HTTPS traffic. Only TCP is used for web browsing.
A specific rule for HTTP and HTTPS will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for HTTP (Port 80) and HTTPS (Port 443):
Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called WebBrowsing and specify the two ports.
converted by W eb2PDFConvert.com
Select Save and the Apply Changes.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - WebBrowsing (the alias created above for web browsing).
Description: Web Allow
Select Save.
Order the firewall rules to have the Web rule after the Time rule.
Progress Check
E-Mail Rules
The second most popular thing will be to allow any client computer on the LAN access to e-mail.
For e-mail there are many ports to consider, ports 25 for SMTP, 465 and 587 for SMTP SSL. Then port 110 for POP3 and 995 for POP3 SSL. Finally port
143 for IMAP and 993 for IMAP SSL.
A specific rule for SMTP, POP3 and IMAP will be required once the default allow ‘LAN to Any’ rule is turned off.
For this project only the secure (SSL) ports will be enabled and all clients will be configured accordingly.
First an alias will need to be created for SMTP (Port 465 and 587), POP3 (Port 995) and IMAP (Port 993):
Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called E-Mail and specify all the ports listed above.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - EMail (the alias created above for e-mail traffic).
Description: E-Mail Allow
converted by W eb2PDFConvert.com
Select Save.
Order the firewall rules to have the E-Mail rule after the Web rule.
Progress Check
FTP Rules
FTP is a very old protocol that sends all communication in plain text including username and password, it is an insecure protocol don’t use it!
If there is no other option and FTP must be used there are several ports required, port 20 (FTP) and port 21 (FTP Control) or port 989 (FTPS) and port 990
(FTPS Control). Also if passive FTP is required then all ports numbered greater than 1024 and less than 65535 may need to be opened.
SFTP Rules
A better option is to use the SFTP (SSH File Transfer Protocol) as all communication is encrypted.
A specific rule for SSH will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for SSH (Port 22 is the default), depending on the configuration of the server additional ports may need to be added
(check with the server administrator). Although this could be configured without an alias, using one makes it easier to add ports later:
Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called SSH and specify all the port listed above.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination (Type): any
Destination: port range (from): SSH (the alias created above for SSH traffic).
Description: SSH Allow
Select Save.
Order the firewall rules to have the SSH rule after the E-Mail rule.
converted by W eb2PDFConvert.com
Progress Check
Now that the “essential” services have specific rules it’s time to turn off the default allow rules.
Edit both the “Default allow LAN to any rule” and the “Default allow LAN IPv6 to any rule” and set them to “Reject” and enable “Log packets…”.
Monitor the Firewall Logs to see if anything that may be needed is being rejected by the LAN rules:
Navigate to Status - System Logs and select the Firewall tab.
Type LAN in the Interface field and then select Filter.
It didn’t take long to notice that specific rules where needed for these two popular Apple Services.
From the Apple support article Using FaceTime and iMessage behind a firewall it becomes clear that quite a few ports need to be opened.
Resources
Below are several references that can can be useful when making decisions about firewall rules:
Ports used by Apple Products.
Ports used by Microsoft Windows.
Service Name and Transport Protocol Port Number Registry.
© 2016 Contact
converted by W eb2PDFConvert.com
Escape Backslash
The Hardware
Selecting the hardware and installing the software, without this nothing can be done so lets get started…
Choose a minimalist hardware specifications, have a look pfSense Hardware Requirements to find the best option.
This gives more than enough hard-drive storage, plenty of RAM with three Gigabit ethernet ports for the internal (LAN, DMZ etc) interfaces and a 100 Meg
ethernet port for the external (WAN) port.
There is a detailed installation guide available on the pfSense document site Installing pfSense.
Below are the options selected for this project (using pfSense 2.2):
Boot the PC from the pfSense CD.
When the “Welcome to pfSense!” screen is displayed select “1. Boot Multi User [Enter]” (or let the timer expire to install the default).
When prompted select “(I) Installer…” to install (if your not quick the timer will expire).
Graphical Installer Starts
The “Welcome to pfSense” menu should now be displayed, with the WAN (wan) set to em0 and the LAN (lan) set to em1 with the IP address
192.168.1.1/24.
converted by W eb2PDFConvert.com
Select “1) Assign interfaces”
Do you want to set up VLANs now [y|n] “y”
Enter the parent interface name for the new VLAN (or nothing if finished): Enter
Enter the WAN interface “fxp0”
Enter the LAN interface “em0”
Enter the Optional 1 interface “select nothing to finish: Enter
Do you want to proceed [y|n] “y”
The “Welcome to pfSense” menu should now be displayed, with the WAN (wan) set to fxp0 and the LAN (lan) set to em0 with the IP address
192.168.1.1/24.
That’s the basic installation completed, from this point onwards the keyboard and monitor can be removed as the rest of the configuration will be done
from the web-interface.
Open a web-browser on any computer that has access to the LAN port of this pfSense installation “https://192.168.36.121” and logon on to the web-
interface (Username: admin with the Password: pfsense).
Select “next” when presented with the setup wizard and then make the following changes:
Select Reload.
Continue on to the pfSense web-interface…
Check for Updates
converted by W eb2PDFConvert.com
From the web-interface menu select Status - Dashboard
Check the Version
If it displays Update Available, select Click Here to view the update.
Select Auto Update then Invoke Auto Upgrade.
This will take the system to the latest version available if any updates are available.
Note: Now is a good time to enable the Secure Shell Server (it will allow you to establish an SSH connection to this host). To do this navigate to System
- Advanced and ‘check’ the Secure Shell Server check box.
Select Save
© 2016 Contact
converted by W eb2PDFConvert.com
Escape Backslash
Configure the DHCP Servers for the LAN interface to control the range of dynamically assigned IP addresses and the available DNS Servers.
Everything should be configures except the DNS Servers, as this network utilises OpenDNS as an external layer of protection their IP addresses need to
be specified here.
Select Save
Progress Check
At this point any client computer connected to the LAN interface should be automatically assigned an IP address and be able to connect to the
internet…
© 2016 Contact
converted by W eb2PDFConvert.com
Escape Backslash
LAN Firewall
Now that the installation has been completed it’s time to create some firewall rules.
The default for pfSense is to block all incoming connections on the WAN interface and to allow all incoming connections on the LAN interface. That is
any traffic initiated from the LAN is allowed through the firewall and any traffic hitting the WAN interface is dropped…
This section describes how to configure the LAN interface to only allow connections for specific services (DNS, NTP, Web, E-Mail, FTP, etc) and block
everything else initiated from the LAN.
Although pfSense has a default ‘Anti-lockout Rule’ it is not ideal as it allows port 80 and port 443 connections from anywhere and does not cover SSH.
A more secure approach will only allow HTTPS (Port 443) and SSH (Port 22) connections to the pfSense LAN address from only the clients on the LAN
network.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: LAN address
Destination port range (from): other - ManagementPorts
Description: Allow pfSense Management.
Select Save.
Select add a new Block rule for TCP from Anywhere to the LAN Address management ports (the alias created above).
Action: Reject
Interface: LAN
Source: any
Destination: LAN address
Destination: port range (from): other - ManagementPorts
Log: Checked
Description: Block pfSense Management
Select Save.
Order the firewall rules to have the Pass rule at the top of the list and the Reject rule second.
converted by W eb2PDFConvert.com
Select Apply Changes.
Note: In the above screenshot the default ‘Anti-lockout Rule’ has been turned of. To do this (only after these rules are in-place) navigate to System -
Advanced and ‘check’ the Anti-lockout check box.
Select Save.
Progress Check
At this point any client computer on the LAN network should be able make either an SSH or HTTPS connection to the pfSense host.
DNS Rules
Force the use of the DNS servers specified in the Services - DHCP Server tab. The idea here is to ensure that only the DNS servers configured in
pfSense are used and that no client on the LAN can bypass that setting.
For this project OpenDNS provides external filtering and pfSense is configured to enforce it’s use by all LAN clients, the alias is named accordingly
First an alias will need to be created for the configured DNS server addresses:
Navigate to Firewall - Aliases and select the IP tab.
Create an alias called OpenDNS and specify the OpenDNS IP addresses.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): Single host or alias: other - OpenDNS
Destination: port range (from): DNS
Description: DNS Allow
Select Save.
Select add a new Block rule for TCP/IP from the LAN to Not to OpenDNS (the alias created above) for DNS traffic.
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): Single host or alias: other - OpenDNS
Check the ‘not’ checkbox
Destination: port range (from): DNS
Log: Checked
Description: DNS Block
Select Save.
Order the firewall rules to have the Pass rule before the Block rule, keeping the DNS rules together (one under the other).
converted by W eb2PDFConvert.com
Select Apply Changes.
Progress Check
At this point if any client computer has manually overridden the DNS settings provided by DHCP it will not be able to resolve domain names (normal web
browsing will not work).
NTP Rules
Allow any client computer on the LAN access to the Network Time Protocol, this will allow automatic clock synchronisation.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - Time (the alias created above for NTP).
Description: Time Allow
Select Save.
Order the firewall rules to have the Time rule after the DNS rules.
Progress Check
Any client computer should be able to access their configured time source and synchronise their clocks.
Now that the basic system services are taken care of it’s time to allow any client computer on the LAN access to web browsing.
For web browsing only two ports are required port 80 for HTTP traffic and port 443 for HTTPS traffic. Only TCP is used for web browsing.
A specific rule for HTTP and HTTPS will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for HTTP (Port 80) and HTTPS (Port 443):
Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called WebBrowsing and specify the two ports.
converted by W eb2PDFConvert.com
Select Save and the Apply Changes.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - WebBrowsing (the alias created above for web browsing).
Description: Web Allow
Select Save.
Order the firewall rules to have the Web rule after the Time rule.
Progress Check
E-Mail Rules
The second most popular thing will be to allow any client computer on the LAN access to e-mail.
For e-mail there are many ports to consider, ports 25 for SMTP, 465 and 587 for SMTP SSL. Then port 110 for POP3 and 995 for POP3 SSL. Finally port
143 for IMAP and 993 for IMAP SSL.
A specific rule for SMTP, POP3 and IMAP will be required once the default allow ‘LAN to Any’ rule is turned off.
For this project only the secure (SSL) ports will be enabled and all clients will be configured accordingly.
First an alias will need to be created for SMTP (Port 465 and 587), POP3 (Port 995) and IMAP (Port 993):
Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called E-Mail and specify all the ports listed above.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination (Type): any
Destination: port range (from): other - EMail (the alias created above for e-mail traffic).
Description: E-Mail Allow
converted by W eb2PDFConvert.com
Select Save.
Order the firewall rules to have the E-Mail rule after the Web rule.
Progress Check
FTP Rules
FTP is a very old protocol that sends all communication in plain text including username and password, it is an insecure protocol don’t use it!
If there is no other option and FTP must be used there are several ports required, port 20 (FTP) and port 21 (FTP Control) or port 989 (FTPS) and port 990
(FTPS Control). Also if passive FTP is required then all ports numbered greater than 1024 and less than 65535 may need to be opened.
SFTP Rules
A better option is to use the SFTP (SSH File Transfer Protocol) as all communication is encrypted.
A specific rule for SSH will be required once the default allow ‘LAN to Any’ rule is turned off.
First an alias will need to be created for SSH (Port 22 is the default), depending on the configuration of the server additional ports may need to be added
(check with the server administrator). Although this could be configured without an alias, using one makes it easier to add ports later:
Navigate to Firewall - Aliases and select the Ports tab.
Create an alias called SSH and specify all the port listed above.
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination (Type): any
Destination: port range (from): SSH (the alias created above for SSH traffic).
Description: SSH Allow
Select Save.
Order the firewall rules to have the SSH rule after the E-Mail rule.
converted by W eb2PDFConvert.com
Progress Check
Now that the “essential” services have specific rules it’s time to turn off the default allow rules.
Edit both the “Default allow LAN to any rule” and the “Default allow LAN IPv6 to any rule” and set them to “Reject” and enable “Log packets…”.
Monitor the Firewall Logs to see if anything that may be needed is being rejected by the LAN rules:
Navigate to Status - System Logs and select the Firewall tab.
Type LAN in the Interface field and then select Filter.
It didn’t take long to notice that specific rules where needed for these two popular Apple Services.
From the Apple support article Using FaceTime and iMessage behind a firewall it becomes clear that quite a few ports need to be opened.
Resources
Below are several references that can can be useful when making decisions about firewall rules:
Ports used by Apple Products.
Ports used by Microsoft Windows.
Service Name and Transport Protocol Port Number Registry.
© 2016 Contact
converted by W eb2PDFConvert.com
Escape Backslash
Traffic Control
Prioritise traffic in an attempt to optimise the client machines network experience (make web browsing more responsive).
Traffic shaping is used to optimise or guarantee performance, improve latency, and/or increase usable bandwidth for some kinds of packets by delaying
others.
For more details have a look at this Traffic Shaping Wikipedia article.
Before you can implement traffic shaping the Upload and Download connection speeds to the ISP must be known.
From interrogating the modem for this network the Upstream Line Rate was found to be 1020 Kbps and a Downstream 19999 Kbps. Be careful using line
rates in your traffic shaping rules as they most likely don’t account for L1/L2 and TCP/IP overheads (approximately 20% for ADSL).
It’s also a good idea to check the connection speed from your network to the ISP, most ISPs will have a speed check utility.
As a last resort a speed check to “somewhere on the internet” might give you an idea…
SpeedOf.Me
Upstream - 870 Kbps
Downstream - 12.86 Mbps
Traffic shaping requires pfSense to drop packets, so it's very important not to set the upper limits higher than they actually are. If pfSense is not dropping
packets then they will be dropped by the ISP and no local shaping will occur.
For this project the ISP Speed Test values will be used in the pfSense Traffic Shaper rules…
Getting Started
The easiest way to get started is to use one of the Traffic Shaper Wizards.
Navigate to Firewall - Traffic Shaper and select Wizards.
Open the Multiple Lan/Wan wizard.
Set one WAN port and one LAN port then select Next.
Select Next for the following page (unless you use any of these service).
Voice over IP
Penalty Box
Peer to Peer networking
Network Games
converted by W eb2PDFConvert.com
FaceTime - Higher priority (if you use Apple FaceTime).
HTTP - Higher priority
SMTP - Lower priority
POP3 - Lower priority
IMAP - Lower priority
DNS - Higher priority
These settings should give client machines a better browsing experience and set e-mail to lesser priority to “work in the back ground”.
Progress Check
At this point there will have been some Floating Firewall Rules created and some Traffic Shaper Queues assigned to the LAN and WAN interfaces.
To see the Firewall Rules navigate to Firewall - Rules and select the Floating tab.
Due to the huge difference between the Upstream and Downstream speeds some tweaking is called for.
First set the WAN Interface to match the actual WAN hardware (100 Mbit):
Navigate to Firewall - Traffic Shaper then select WAN.
Change the Bandwidth to 100 Mbits/s.
Leave ‘qInternet’ as it is at 810 Kbit/s as that matches the measured Upstream value from “Know Your Connection Speed” above.
Next as most of the WAN traffic will be TCP ACKs increase the bandwidth percentage of ‘qACK’:
Select qACK.
Change the Bandwidth and B/W share to 70%.
Leave all ‘qDefault’, “qOthersHigh’ and ‘qOthersLow’ as the default values set by the wizard.
Next set the LAN Interface to match the actual LAN hardware (1 Gbit):
Navigate to Firewall - Traffic Shaper then select LAN.
Change the Bandwidth to 1 Gbits/s.
Select Save.
.
Select Save.
.
Progress Check
At this point ….
converted by W eb2PDFConvert.com
At this point ….
Resources
Below are several references that can can be useful when making decisions about traffic shaping rules:
© 2016 Contact
converted by W eb2PDFConvert.com