Replaced FIOS router with pfSense, now what?

  • Hi all,

    I recently purchased a SG-2440 for home use to learn more about pfSense, firewalls, etc. I have an IT background, but mostly in programming. I apologize in advance for any overly dumb-sounding questions!

    I cloned my FIOS Quantum gateway's MAC address and used that on my pfSense device. In addition, I enabled DHCP, set the DNS servers to Google and managed to switch out the FIOS router with pfSense. Surprisingly, it worked and I was able to get an IP and access the Internet from my LAN devices.

    My question is whether the default firewall setup is secure or not? At this point, I really know very little about pfSense, but I'm trying to read as much as I can. I want to eventually put all my wireless devices on one VLAN and the rest of my devices connected via cable in another VLAN.

    I'm not sure if I should go about that via pfSense or a managed switch like the Cisco SG300-10?

    Mainly, I wanted to know if I could leave up the pfSense as-is for right now or do I need to go in and configure a bunch of firewall rules first before making it the edge device on my home network?

    Thanks in advance,


  • LAYER 8 Netgate

    If you do not put any rules on the WAN interface, no inbound connections are allowed. The default configuration is no connections allowed inbound on WAN, all connections allowed inbound on LAN (and then out WAN.)

    You have multiple interfaces on your 2440 so you do not need a managed switch. You could put a dumb switch on LAN and another on OPT1 for your access point/wireless devices. If you only have one AP you could just plug it directly into OPT1.

    If you want to start doing things like putting a wireless SSID for guests along with one on the same network as LAN, a managed/smart switch starts to be your best option. An SG-300 would certainly do what you need but anything that reliably does 802.1q VLANs should work fine.

  • Thanks for your response. Are there any default firewall rules posted online somewhere that I could start with for High Security, Med Security, etc? I'm guessing having all incoming connections blocked isn't going to be a viable option correct?

    Also, I have three wireless access points that would all be connecting to pfSense, hence the need for the switch. But is it better to use the switches for the VLAN or to use pfSense? Or do you need to create them in both?


  • LAYER 8 Netgate

    Why would it not be viable? If you do not need anything on the outside to be able to INITIATE connections into your network then you don't want or need any rules on WAN.

    pfSense is stateful, meaning if a connection is allowed outbound (like browsing to a web site) the necessary reply traffic is automatically allowed back in.

    I know of no default rule sets for any specific compliance requirements.

    If you have multiple access points I would use a managed switch and create different tagged VLAN interfaces on pfSense to implement the segmentation you want. Though the real discriminator is not multiple access points, but multiple SSIDs on individual APs.

  • heres a handy guide for getting Verizons services to work behind pfSense.

  • Derelict, thanks for the clarification. I now understand what a stateful firewall means! As for the access points (3 Netgear routers in AP mode), they all have the same SSID/password. I have one on each floor of my house. What I was planning on doing was replacing the switches that I currently have (the AP's connect to the switches) and then adding each port on the switch with an AP to a separate VLAN.

    So when you say I should use pfSense to create tagged VLAN interfaces, I still have to create the VLANS on the managed switches too right? Using pfSense will allow the VLANs to talk to each other? Is that correct? If I created the VLANs on the switches, but didn't do anything on pfSense, what would that mean?

    Also, on the switches, I would need to create trunk ports in order to have one VLAN span across multiple switches correct?

    @irh972 - Thanks for that link. I found that article while Googling around, but it's a bit complicated and I'm not able to follow exactly what he's doing with this VLAN config. As I learn more, I'm hoping it'll make more sense.

  • LAYER 8 Netgate

    If you have a switch with multiple VLANs on it (Layer 2 broadcast domains) you need a router to route traffic between them.

    Yes, if you have multiple VLANs you need to tag the traffic for them between switches. Cisco calls this a "trunk."

  • I'm a bit confused about the purpose of routing traffic between VLANs. Aren't VLANs created to prevent groups of devices from communicating with each other? If you allow communication between the VLANs, then isn't it the same thing as not using any VLANs? I understand that they create separate broadcast domains, so it helps with isolating traffic, but why else? Also, can I use pfSense to choose which VLANs can communicate with each other? Should that be done on pfSense or on the switch?

    Thanks for the patience and help!

  • LAYER 8 Global Moderator

    The purpose of vlans is not prevention of devices talking to each other.. The purpose of a vlan is the creation of a new layer 2 network.  Be it you allow devices on these networks to talk to each other would be up to you.  Be it you route with an any any or just allow say devices on vlan 2 to talk to only your httpd on IP xyz on ports 80/443, etc.

    As to routing at the switch or pfsense that would be up to you.. Yes using a firewall as router is going to have a performance hit.  If you need to route at wire speed then you would want to route at your switch that does layer 3.  Keep in mind the firewalling features of some layer 3 are not going to be anything compared to what you could do with pfsense.

    So what is your need speed or control.

    Yes the simple way to let devices talk to each other without any routing or firewalling would be to just put them on the same layer 2.  That is always an option as well.

  • A couple of common uses of VLANs…

    Servers in one VLAN... two different groups of users in two different VLANs, firewall rules allowing each user group access to only specific servers/ports based on job function. Also, WAN firewall rules to hosts in the servers VLAN. To be more secure, since pfSense is stateful, direct outbound communication from servers to the two users' VLANs could be blocked.

    Employees/family members in VLAN 10... Guests/visitors in VLAN 20... no communication allowed between them. Some more advanced home users might even create a third VLAN for IoT-type devices, so tighter control can be had over the outbound connections they make, without affecting the other two VLANs.

  • LAYER 8 Global Moderator

    Some home users might even have 7 or 8 different vlans ;)

  • @johnpoz, most of what you said is making sense to me, but not completely. So if I decide to go with routing on the switches for better performance, does that mean I can't use the firewalling features of pfSense in addition? Or I have to use pfSense for VLAN routing if I want to have access to the firewalling features?

    I'm mostly doing this as a learning experience because I'm taking some courses in network security, etc. I also do computer consulting, but it's mostly software and basic computer troubleshooting. I want to learn this stuff because some clients have asked about making their networks more secure and I really didn't have a good answer.

    I plan on using multiple VLANs at home to separate all wireless clients from wired clients. Also, I want to only allow my NAS to communicate with 1 or 2 devices on the wired network and 1 or 2 devices on the wireless network. In this case, I would put the NAS in a separate VLAN from the wired and wireless devices, correct?

    But if I want to get this particular about which devices can communicate, I'll probably need to use pfSense for the routing right?

  • I'm actually doing the same thing as you (almost). What I am trying to do now is have my L3 switch act as the router for the intervlan traffic for 2 of me 3 vlans. The third Vlan however will have to go upstream to the router to have the rules their decide what device it should be allowed to speak with. Does that sound viable?