Can some verify my Firewall Setup?



  • I am trying to set up a Pfsense system at home in prep for transfering to a business.

    I am a little new to this, but have read through all the Pfsense docs and looked through many forum threads.  The docs for some reason leave out a lot of details.  Haven't bought the book, but from what I seen in some forums, it is not much more than the docs.  If that is not true, I will gladly buy the book.

    Anyway, Here's is what I am trying to do:

    -WAN - enable Remote desktop and internet cameras - this seems to be working
    -LAN - give it access to the WAN, and Server, but block access to the Public WIFI interface.  Also - block Internet acccess to a group of PCs at night - the kids :-)
    -Server - give this interface LAN and WAN access, but no Public WIFI.  I'd like to open it up the internet (incoming) later, but have not learned how to DMZ yet. Mainly just open a FTP Port someday.
    -Public WIFI -  (wired interface to an Access piont).  Give this access to the Internet ONLY.  Blocked from all other interfaces.
    I will probably need to add another interface that will be bridged to the LAN later as well. Mainly to reduce the need for more switches. Just want to bridge it to the LAN.

    I've included a couple screen shots.  Can someone tell me if I have it all set correctly?

    Thanks










  • Public Net is actually allowing access to the other subnets you want to block.  Need to change to block in the rules.

    You are missing a rule on Public that allows out to internet. Use your last LAN rule as an example

    You are missing a rule on Server that allows rule out to internet.  ""  ""  ""    ""

    If you have a cable modem your use of the 192.168.100.1 subnet will probably keep you from seeing the cablemodems webgui… (assuming your cable modem answers to 192.168.100.1) That may or may not be important to you...

    You should have different subnets on all three of those networks, in case you dont...



  • So something like this?  Do I need to block access to each other (LAN to Public for example) on both interfaces?  I've seen answers to this that contradict themselves.






  • Good point on the Cable modem issue.  I do have one at the other location that has a web gui portal.  My home cable modem does not (cheap version I guess).  I will definately change it for the business application.



  • Right.  Since your server will probably not initiate requests you probably don't need a rule blocking it from accessing the public lan but it wont hurt either.

    Think of rule on the interface you don't want to be able to initiate the request. So if you have an AP that you want to access for management purposes you can leave the rule off your LAN and as long as public has a rule blocking access to your LAN they wont be able to see it.



  • Excellent - that makes sense.  Thanks for the help and the quick response.  Much appreciated.

    As for using two interfaces as a 'switch', what's the best way?  Bridge the 2 interfaces?  Does that need any 'rules' as well?  Or is it fine to just set the 2 up with close IP ranges?  Say 192.168.10.2-100 on LAN and 192.168.10.101-200 on Server (for example)?  with the rules I already have.

    If I understand it correctly, Bridging kinda does the same thing, but uses one IP range for both interfaces, correct?  Just like connecting 2 computers to LAN with a switch?

    That should be my last question for this.  Thanks again.


Log in to reply