Can I do whitelist mode with Pfsense ?



  • Hi guys,

    I'm totally new to pfsense, in few days I want to deploy a pfsense setup on a server, as a firewall to put 4-5 servers behind it, including wholesale VOIP server, and few asterisk servers.

    I have a /24 subnet of Public Ip adresses, I want my servers to keep their old public IP's, so the Pfsense must make sure that unwanted IP's stay out of my network/servers. So I will not use a NATED model, no 192.168.x.x  adressing, all IP's will stay public but behind pfsense.

    I would like to have a whitelist with IP adresses of my customers and providers, all other IP adresses will not be able to comunicated with my network/servers etc…

    Is this possible ?

    thanks in advance.



  • Yes it's possible, use an alias. Detailed info in the new book available with the gold subscription @ https://portal.pfsense.org



  • Ok, so I have been reading the book since you told me, but I was not able to find a really good explanation, there are 2 places in the book where they start / only start mentioning somithing in that direction and directly move to the default wan to lan concepts, It looks like nobody at PFsense / book writers has ever done it, or nobody is interested, I cannot imagine that somany people using this and all using only in the default model wan to lan NAT  and lan 192.x.x.x networks.

    Please would you point me to the specific chapter where you think its telling about using ONLY public IP adressing including White List Firewalling ?

    I need to be able to block all but the whitelisted IP adresses.

    thanks in advance.



  • Go to Firewall > Aliases

    Create a new IP Alias and call it something like 'CustomerWhitelist' and add all the networks and IP addresses in this list.

    Go to Firewall > Rules

    Select the interface you want to add the rule to (usually WAN) and create a new rule. For source type select 'Single Host or Alias' begin typing in the name of the alias you created earlier and you'll see it pop up. For destination enter the /24 network for your public servers. Alternatively you could create another alias with all your public servers in it. Set any other options you would like and save the rule.



  • @Matthias:

    Go to Firewall > Aliases

    Create a new IP Alias and call it something like 'CustomerWhitelist' and add all the networks and IP addresses in this list.

    Go to Firewall > Rules

    Select the interface you want to add the rule to (usually WAN) and create a new rule. For source type select 'Single Host or Alias' begin typing in the name of the alias you created earlier and you'll see it pop up. For destination enter the /24 network for your public servers. Alternatively you could create another alias with all your public servers in it. Set any other options you would like and save the rule.

    So, I didnot expect such a good step by step, thanks allot, I'm going to install and start preparing all and go the way you told me, I'll gome back when i'm done.

    thanks allot.