Basic Firewall Set Up

  • Hello everyone, I’m new to pfsense and new to setting up my own firewall and seem to be having a ton of issues. I have been trying to set up the firewall to get me up and running but just keep breaking the access to the internet. Currently I have my desktop connected to my L2 switch through VLAN 1 into my pfsense which sees the VLAN as the LAN. And my WAN on the pfsense is connected to my existing router set up that I am trying to get rid of with this.

    I’ve tried following a few videos, a few from Lawrence Systems on YouTube and a guide in the link at the bottom of this post but each time I either add something new, I just lose access to something. Sometimes it’s just overall internet access other times I can ping external IPs but can’t resolve any addresses and so on.

    I just want to be able to get a steady set up so I can start migrating off my Eero mesh system and then start working on fine tuning, or fine tune before that a little. Currently I do have suricata on as well but when I was accessing the internet, I had no blocks or alerts (I have a free snort account and the ETF open one checked as well if I remember the name correctly)

    My system is pretty jumbled up right now from trying so many things so I may just reset it all to defaults and start from there or just delete all firewall rules. From the general set up section I do have my DNS server set to and which if I remember correctly is cloudfares and I have the options checked for DHCP addresses to use that to resolve the hostnames when browsing the internet. (Can’t remember the full selection since I’m on my phone for this post).

    I want to be able to set up three VLANs, Primary, IoT and Guest. Primary would only have my computers on it (W10, MacOS) while IoT has everything else. Also should any of my servers or VMs be on the primary VLAN or their own?

    Any help would be appreciated with getting a basic firewall up and running since I keep breaking it somehow and then as I said I can fine tune. Right now I just have my main computer connected to pfsense for config and testing. Thank you!

    Link mentioned above:

  • Hi,

    The default settings, activated when you install pfSense are close-to-perfect, and will do just fine od for a basic setup.
    The scenario will be : no-one get in - you are free to do what you want.
    Sub systems like DNS will work just great. No need to include remote resources like Cloudfare.

    There is no need at all to add ore modify firewall rules, with one exception : if you don't trust your own devices or the users handling them. In that case, activate a dedicated interface for them (OPT1) and add needed firewall and other filtering technics for them. In any case, leave the LAN is as.

  • @Gertjan

    Thanks for the reply, so I should probably start from a clean slate then to be sure its not going to affect anything. I guess my issue is then what do I do after that?

    You also mentioned that you would just keep everything in the LAN and create an OPT1 (VLAN IoT in my case) for anything that is not secure. This would work and my L2 switch that way.

    I guess from there, I would not have to allow DNS or HTTP/S through the firewall from there or is that not needed? Its just so weird how everything I have seen is so different. I know Ill need to do a few things like to allow my VPN client and set up a VPN server, then in my IoT VLAN, set up some passes for my devices.

    For the DNS, it seemed to only work when I added a provider in the general set up section I believe its named, this is why I added it then allowed it for the DHCP clients.

  • @ccigas said in Basic Firewall Set Up:

    I guess from there, I would not have to allow DNS or HTTP/S through the firewall from there or is that not needed?

    Typically, on an second LAN interface - called OPTx - you would block http and https acces to the Firewall (= pfSense) itself.
    Don't block DNS, devices could use pfSense as a DNS, or whatever other DNS they want to use on the net.

    @ccigas said in Basic Firewall Set Up:

    For the DNS, it seemed to only work
    pfSense doesn't use or care about DNS in receives from upstream routers.
    The resolver - unbound - uses the 13 main root DNS servers (the real back bone of the Internet) to find domain info. That will always works.
    There is no need - isn't used by default :
    Ustream DNS servers,
    ISP DNS servers,
    Private info collection servers (Google and others);

    If the default resolver doesn't work, something is wrong with your Internet access.

    Btw : 'named' or bind, isn't used by pfSense. bind is much bigger and capable, and offers functionalities that hugely surpasses the needs of a firewall.