Basic Home Firewall Setup



  • I haven't really worked with firewall's to much. With the default LAN firewall rule that is created. I can access websites to view pages from the LAN.

    However my email client errors our on POP3, SMTP, IMAP stating it cannot connect to the service, until I setup NAT rules and firewall rules under the WAN interface to port forward those ports to a specific IP address on the LAN. Except now only [1x] computer is allowed to connect to mail services. LAN1 cant connect.

    I was under the impression this is normally only setup for incoming traffic as if I was hosting a POP server on my LAN? it seems like the pFsense firewall rules are reverse to what the common industry standards are.

    Also when I setup the LAN1 & OPT1(WiFi) interfaces the same as LAN (LAN Subnet * * * * *) with the firewall rules for  LAN1 Subnet * * * * (Under the LAN1 firewall interface), I couldn't connect to the internet or other networks until I created a new rule above the LAN1/OPT1 firewall interfaces with allow any  * * * * *.

    What is a common firewall setup for connecting to other LAN's and the WAN without having to do an allow all setup with * * * * * *? and what interface would you set the rule to? Or is there a firewall template that can be viewed or downloaded.



  • It sounds like you may have configured a /32 or single host for your port forwards and that you're using the WAN IP address or a hostname that resolves to the WAN IP for your email services.

    The default rule for all interfaces other than LAN (and possibly LAN) is to block all.  You have to create a rule to allow only what you want.



  • Just to intially get everything working I was doing "all allow" (* * * * * *) for all interfaces, and this setup did not work when trying to connect to servers in the internet. my ISP is hosting the POP3, SMTP, IMAP services. And using the built-in mail client for Opera web browser to retreive my email.

    I only got it to work with allowing "any to talk to port 25 with a destination of LAN IP 10.1.1.3 on the WAN firewall rules. the LAN only has the default "Lan Subnet * * * * *".

    However this doesn't make sense to me, logically the NAT'ing should take case of any port request i send out to the net, When I connnect to my ISP POP3 server on port 110 my computer should be opening a connection on a random port to the server IP address on port 110, not sure why it only works when I have to create a NAT rule with auto-generated firewall rule to NAT all port 110 traffic from the WAN outside interface to the LAN IP address 10.1.1.3

    Since this is a home setup and I don't need numerous hosts, I have setup my network interfaces each having a /29 mask subnet. I will check and see if there is /32 subnet showing anywhere as you suggested.

    Not sure if this helps, or is part of the firewall issue. However I also got another thread in the wireless section due to that my wireless laptop can connect but is not able to pass traffic to any other interface even with the (allow any* * * * *) firewall rule under the OPT1(WiFi) firewall interface.

    http://forum.pfsense.org/index.php/topic,25681.0.html



  • You have something very odd going on.  Please post a network diagram, showing IP ranges (including subnet mask) and screenshots of the firewall rules.



  • Any error aside, it sounds to me like you are where I was a two or three months ago.  Please review this post, which contains what I learned:

    http://forum.pfsense.org/index.php/topic,25548.0.html

    Regarding having only a few machines and so keeping a tight netmask, why bother?  Use /24, it is easier to think about.  Use a different number for each LAN if you have several.


Locked