Configuration of pfSense: what about a WAN of ONE system?

  • Hi all,

    This is my first time here and,… guess it! I am a complete newbie in all related to pfSense. I need your help!

    Ok, so this is what I want to do with pfSense: I have a LAN with several systems. Now I to connect an "external" (I don't manage it!) computer to one of the systems of my LAN. To protect this communication, I would like to use a pfsense. I would be, let's say, really a firewall to protect my LAN from the "invader" PC.

    So when configuring pfSense, shouldn't that "invader" be the WAN? I mean, I think the LAN interface should be my "real" LAN (private network). And the "outside" is the computer I will connect...

    If my guesses are right,... how do I have to configure WAN interface in pfSense? What kind of WAN is it? Static? What about the Gateway? I don't really know how to do this...

    Thanks a lot in advance! I'll be looking forward to your replies!

  • Netgate Administrator

    How do you connect to the internet currently? DSL modem-router? Cable router? Wireless?


  • and is the "external invader" a machine physically local to you, that you can connect with a cable? or does it need to "dialin" with VPN software from a remote location?

  • Are you talking about connecting a machine that is on a different LAN, but not necessarily over a WAN connection? If so, you can simply use an OPT interface for it (or if you're using a pfSense box specifically only for this purpose, WAN is fine). I'm assuming you simply want to block this machine from accessing machines on your network other than a single one that you specify? If that's the case, you will need to add a WAN rule for the destination you're hitting, and turn outbound NAT off (or, hell, keep it on. Probably won't make much of a difference either way for most uses). If you're looking for "protection" from worms, viruses, etc. from the other machine, you will want Snort on there with strict rules, and you'll want it to block hosts automatically.

    how do I have to configure WAN interface in pfSense? What kind of WAN is it? Static? What about the Gateway? I don't really know how to do this…

    Assuming all of the above is correct (not actually going over a WAN, just using it like another interface), you'll need to set a static IP on it in the same subnet as the machine you're connecting to it. You'll also need to turn off bogon/private network protection assuming you're using a private range (which you should be). Gateway doesn't matter if this is strictly for bridging two subnets local to the pfSense box. Your gateway on the "invading" machine should be set to pfSense's WAN IP address.

  • Hi all! Sorry for being a bit late; I really appreciate your suggestions.

    @phil.davis, you are right: the invader will be physically accesible to me; I will "manage" the ethernet cable to connect it to my LAN.

    @stephenw10, I don't really connect to the internet. As timthetortoise guesses, the "invader" could be considered as from a different LAN, actually.  Indeed, most if not all the assumptions of timthetortoise are right! ;D. The invader should only access one of my machines:

    I'm assuming you simply want to block this machine from accessing machines on your network other than a single one that you specify?

    That's it! Moreover, I have to "control" what connections the invader establishese with my machine. As you mention, Snort is on my mind, but not a priority (I actually want to install pfSense on an Alix board, and I don't think snort and CF card would be a great idea; too many writes, I guess). BTW, what do you mean with "pfSense Box"? An Alix board, for example?

    So, timthetortoise, should I have to use OPT interface instead of WAN? Just give it an IP address in accordance to the IP address of the invader, and that's all? (and assure the invader's gateway is the OPT interface IPAddress…)

    On the other hand, I just want to let the connection (between [invader] and [myHost]) be an FTP link - Server on hte invader, client on myHost. Can you guide me a little bit on configuring the firewall rules, NAT, or whatever needed to only allow this kind of communication?

    Thanks a lot! It is being really helpful!

  • Netgate Administrator

    Genarally "pfSense box" = any machine that is running pfSense.

    So the only connection you want to allow between the two machines in FTP and the server is running on the assumed hostilel, 'invader', machine?

    In the simplest case you would simply install pfSense between the two machines with it's WAN interface connected to the invader. That will block all connections from the invader to the host but allow the the host to open connections to the invader. By locking down the firewall rules further you could restrict it to only allowing FTP connections.

    However I suspect that will give you trouble since it will intruduce another layer of NAT and won't allow any other traffic. Please give us some idea of how your network is configured, a diagram would be great,  along with subnets etc. It's almost impossible to be more specific without that.  :)


  • If you also have some other routing box that connects your LAN to the internet, then putting a 2nd router on the LAN to connect LAN and "InvaderNet" will be a small hassle, because LAN clients will effectively have 2 gateways out of LAN for different destination IP subnets. The LAN to internet router would be the default gateway, and would need a static route across the the pfSense router going to InvaderNet. And then replies back from InvaderNet will be delivered directly back to the LAN clients, making asymmetric routing.
    If you need public Internet, ordinary LAN and InvaderNet with appropriate firewalling between, then it is much more straightforward to put pfSense as the only router, with WAN to public internet, LAN for your ordinary machines and OPT1 for Invader Net. Then there are no routing hassles for LAN devices, and you can allow whatever you like from LAN to InvaderNet, and nothing at all (the default) from InvaderNet to anywhere…

  • Ok! In the attached file you have a Diagram of the net. As you see, it can't get simpler… The aim is to connect the "invader" to the system whose IP Address is not hidden. I actually wanted to add a new network card to this system and directly connect invader and this host through a pfsense box (maybe with crossover cables). But I don't think I am going to be able to add this card, so pfSense would connect the invader and the switch... unless you suggest somenthing different... In the end, what I need is to allow FTP connection between and the invader, and block any other traffic between invader and LAN.

    Whatever you need, please tell me.


  • Netgate Administrator

    Ok, so your network has no internet connection? Are you using static IP addresses? You have no central 'server' type device offering services?

    You could use pfSense in transparent mode to do this with minimal complication to the rest of your network but it will be a more difficult install.


  • Exactly! All are static IPs; there is no DHCP services anywhere. What do you mean with "transparent mode"? Can you explain me a little bit more (or help me where to find more info)?

    Again, lot of thanks!

  • Or you can easily put Invader on a separate subnet (e.g. make it with gateway and setup pfSense with:
    WAN: and NO gateway defined
    LAN: (and again no gateway)

    pfSense then treats these as 2 "LANs" and does not define a default route, does not do NAT between them. It just acts as a firewall and local router. You add whatever pass rules you want to LAN to allow access to WAN, and presumably no pass rules on WAN as you want no traffic initiated from Invader to LAN.

  • Mmmm, I see Phil,…

    So, with the scheme you've pointed out, would it be enough defining a rule in the WAN interfaces (Firewall -> Rules -> WAN) allowing TCP port 21 (FTP) from WAN to LAN to get it done? Or do I have to configure somewhere else the routing pfSense must perform (between interfaces), and besides, add that rule? I might be saying kind of a nonsense,... I have quite a lot to learn!!! My doubt is that I don't it is neccessary to first, configure routing, and then, add rules, or just adding rules is enough to tell pfSense to perform routing.

    Just in case: please excuse my ignorance!

    And thanks a lot!

  • Netgate Administrator

    Yep, do what Phil said. Much easier setup.  :)

    So pfSense firewall rules act on traffic entering the interface. By default the 'WAN' interface (at this point WAN is just a label as you've removed any gateway) blocks all traffic entering it. There are no firewall rules and by default everything that doesn't match a rule is blocked. The LAN interface will be setup to allow any traffic from within it's subnet. This is useful for common configuration where pfSense is an edge device between a local network and the internet but less so in your case.

    For your configuration leave the WAN interface with no rules, you do not want to allow the invader to initiate a connection to anywhere on the LAN.
    Change the 'default LAN to any' rule so that it allows only traffic with destination 'the invaders IP', using FTP ports, and with source 'myhost IP'.
    Leave the anti-lockout rule in place so you can still access the pfSense box.


  • Yep, what Steve said. And pfSense does routing without being specially asked - the underlying FreeBSD routing daemon will route between all the directly-connected networks automagically. Once you actually let traffic in with firewall rules, the routing will "just happen". Like Steve said - remember to always put the pass rules on the interface where the clients are initiating the connections you want to allow.

  • OK, Phil, Steve, I'll do what you both suggest. It sounds good! And quite clear! Thanks again!

    Looking forward to have here the Alix board and give it a try!

    I'll let you know.

    Seriously, thanks a lot for your advice!

  • Hi all,

    This is just to say that it works perfectly on the Alix board. I did some penTesting over the firewall and it performs great.

    Thanks a lot!

Log in to reply