General pfsense firewall questions

  • Hi folks,

    Oh where to start!

    I'm wanting to setup pfsense with the following interfaces: WAN, LAN, WIFI & DMZ

    I've already sorted my WAN and LAN interfaces but I'm having trouble getting my heed round the WIFI & DMZ. What I'm after is for WIFI to get access to the internet but for the clients still to be protected by pfsense as is the case with LAN - as in protected from external incoming traffic.

    Is this the case by default on ALL interfaces?

    Then I'm wanting to setup 1 HTTP & 1 FTP server on my DMZ. Again for it to be protected by pfsense on the incoming side but also with ports 21 and 80 opened up for external traffic from the internet to connect to.

    I'm wanting to keep all traffic separate with no cross talk, and I know that I can do this using rules and keeping the traffic on each individual subnet to subnet i.e. LAN to LAN and WIFI to WIFI. But is this just outgoing traffic? My main problem though is that I can't find out if each interface is protected from incoming external internet traffic. I've been looking but can't find the exact answer I'm looking for.

    Any advice welcome! Be gentle!

  • By default all incoming WAN traffic is blocked, unless you specify otherwise. You will want to use NAT to redirect to ports 21 and 80, but outside of that, there isn't really much, if anything, to do on your WAN rules.

  • I've got myself confused. I was way off in my thinking! Thought that I had to block incoming traffic on each interface in the rules section…

    So what would be the difference in just allowing external traffic to pass on the WAN rules page for port 21 and 80 vs doing the NAT thing?

  • Simply opening WAN ports in the firewall rules will open them on your pfSense server itself. Using NAT will allow you to forward those requests on to internal servers.

  • Thanks timthetortoise!

    So by using NAT it's much more secure and I should just leave the WAN rules well alone… Ahhh. It's beginning to make more sense (I think)!

    Using just the rules means I'm exposing those ports on ALL interfaces, whereas NAT takes external requests and translates them to the server(s) of my choosing, thus leaving clients on the LAN & WIFI side hidden and unexposed

    Cheers mate!

  • Not on all interfaces, only on the interface you put the rules on. If you open port 80 on WAN, your pfSense server's HTTP service will be exposed on the WAN side. NAT is generally the only way you direct traffic through your firewall to internal addresses.

  • Thanks for clearing that up!
    Cheers again.