PfSense Notes for New Users
-
Community members,
I've been scouring the forums for the past few months, and I've taken note of some of the most common questions that have been asked by new members. Hopefully some new users can get some useful information from this post! Any edits, additions, comments, etc by some veteran members would be most welcome.
To Start
- Purchase the pfSense Book. It’s a treasure trove of knowledge in a very intuitive package. The answer to all your basic questions is in there
Firewall
-
WAN net is not the internet. It is only the network your WAN interface is on.
-
“Any” would allow access to the internet, along with anything else.
-
Firewall rules are evaluated from top to bottom on the interface where the traffic enters pfsense. First rule to trigger is the only one used. A “pass any” or "block any" rule will invalidate everything below it. This is not true for Floating rules which are Last Match unless you have the "Quick" option checked. Floating rules are evaluated before interface rules.
-
pfSense is a stateful firewall. A "state" is created to allow incoming traffic to return to the client that requested it. If you create new block rule that is not working, check your state table for existing states that would be allowing the traffic.
-
There is a hidden “Block ALL” rule at the bottom of all interfaces firewall rule lists. This is logged by default as the default deny rule. There is also a hidden dhcp rule to allow dhcp when enable dhcp server on an interface.
-
After adding a new interface, make sure you add a firewall rule to allow traffic. New interfaces (Opt, VPN, etc) by default have no rules associated with them.
Hardware
-
If you’re building an appliance for your home, that Intel i7 you specced out is probably overkill. There are much cheaper options, and a ton of forum threads with specs already made for your use case.
-
Don’t put WiFi on your firewall. Spend a few dollars and get an access point. Or leverage your old wifi router as AP. An access point with vlan support will benefit you (if not now, it will in the future when you want to put different SSIDs on different vlans).
-
A router is not a switch. Bridging interfaces is bad practice in most cases. Very inexpensive managed and unmanaged switches are available!
Packages
- Don’t immediately install packages as soon as you boot up. Get your network running properly first. This will save you a bunch of troubleshooting headaches.
General Tips
- If your settings are correct, it’s probably not pfSense that’s causing your issue. Double check your settings!
Requesting Help
- If you want to ask a question about settings on the forums, make sure you post the settings you’re using. Screenshots go a long way. Obfuscate your public IPs if applicable. Give the people spending their time to help you as much information as possible.
-
A couple of corrections:
1. WAN is not the internet. It’s only the subnet on the WAN interface.
I think you meant to say WAN net here. WAN is usually the Internet. WAN net is only the subnet your WAN is on.
2. “Any” is the internet.
Any is literally any interface, not specifically WAN/Internet.
3. Firewall rules are evaluated from top to bottom. First rule hit is the only one that’s used. A “pass all” or "block all" rule will invalidate everything below it.
Floating rules are Last Match unless you have the Quick option checked. All other interface rules are First Match.8. Don’t put WiFi on your firewall. Spend a few dollars and get an access point.
Or put your old Wifi router into AP mode and use it as your access point.
-
While it is possible to use your old wifi router as AP, they generally do not have vlan support unless running 3rd party and correct hardware in the first place. So while sure leveraging an old wifi router you have laying around is an option.
It would be much better to get an actual AP that has vlan support in the bigger picture.
@danc if you have not gotten your wiki access, I can add this to the wiki (giving you credit and linking to this thread) which allows for easy tweaking of wording and additions per our PM conversation.
edit: wiki page created with KOMs and a few minor tweaks by me
https://doc.pfsense.org/index.php/Notes_for_New_Users -
Thanks for adding that Wiki post! I'll keep an eye out for access and update this post periodically. I read somewhere that new users aren't going to be added to the Wiki until some changes are put in production.
-
Hmmm - had not seen that about the wiki, then again I been here a while and have had wiki access for quite some time ;)
No big deal - thanks for taking the time for putting together the info. Nice to see new users joining in on the fun.. Just PM me if you would like to make some changes/additions, etc.
-
Please keep this here on the forum, it might be OK here but that sort of note doc isn't well-suited for the wiki.
Also, when adding any content to the wiki please make sure it fully conforms to the Wiki Style Guide.
-
I will edit it for the wiki so it meets the guide lines. But why not suited for the wiki, its in the FAQ section. Which clearly they all are.
-
It's not just about the style but the content. It's a random collection of mostly unrelated items. It might be OK for the forum in a sticky, but it isn't something that will be on the wiki. Especially not hardware recommendations. Many of them are already addressed in other FAQ entries, too.
-
That why it was labeled "Notes" ;) But ok not a big deal..
Users are stupid in general.. A short and to the point list with all the common stuff seemed like a good idea to me. All of those items come up all the time. I am about ready to make the statement of how rules are evaluated a hot key stoke for pasting it ;)
Same with the wan is not the internet thing, just a thread started the other day where user just doesn't get it.. Even after multiple attempts of pointing out its just the wan net, and not the actual internet ;)
edit: BTW it was my idea for the wiki, not danc idea.. So any blame for that falls to me.. Nice to see a new user trying to help out the others here..
-
That why it was labeled "Notes" ;) But ok not a big deal..
Users are stupid in general.. A short and to the point list with all the common stuff seemed like a good idea to me. All of those items come up all the time. I am about ready to make the statement of how rules are evaluated a hot key stoke for pasting it ;)
Same with the wan is not the internet thing, just a thread started the other day where user just doesn't get it.. Even after multiple attempts of pointing out its just the wan net, and not the actual internet ;)
edit: BTW it was my idea for the wiki, not danc idea.. So any blame for that falls to me.. Nice to see a new user trying to help out the others here..
I agree though I can understand that a proper place for these tips might be hard to find on the wiki.
Sadly, most of the learning pains I'd initially ran into were forgotten as I became accustomed to the "quirks" of pfSense.
I applaud the efforts of OP. Seems like a good start. I don't really see any downside for pfSense to make the learning curve for newbies easier.