SPI with pfSense?
tontoOz last edited by
I intend on using pfSense in a traditional router role rather than as a firewall per se.
So I would like to configure pfSense to provide SPI capability similar to consumer routers?
Please advise how I can do that, thanks.
Also, is there any need to enable NAT-PMP (all clients are Apple) or UPnP? Would there be security implications of doing that?
If by "SPI" you mean "stateful packet inspection" then that's what pfSense does by default. If you really don't want to block traffic but you do want SPI, then you can add pass rules for all traffic on each interface from any/to any and so on. Kind of defeats the purpose, though.
As for UPnP it is, by design, a security problem. It allows a local host to open up an external port to allow in traffic. So there will always be security implications for enabling it, but it is much more convenient for allowing in traffic for some things (especially game consoles) so it's frequently allowed. You can setup access restrictions for UPnP in the GUI.
your typical off the shelf router is a firewall as well, it just has limited features in allowing configuration of the rules. Many of them have very limited outbound controls, and inbound are all pretty much just port forwards with varying degrees of features depending on the make and model.
But in a nutshell out of the box pfsense is same as any off the shelf home router in what it does. It nats, all inbound traffic that is not direct answer to a request is blocked, while the default outbound rules from lan are any any. This is pretty much what every off the shelf router does.
Where pfsense allows you to go way beyond what any off the shelf router would allow you to do when you want to get fancier than that. But if you want to use it like that - that is pretty much how it is out of the box.
And yes you could even enable UPnP if you want it.. Where your off the self router is normally just an on and off checkbox, pfsense allows you to get fancier with allows and deny specific ports or deny from all except a specific IP to request, etc..