| 1 | = Firewall = |
| 2 | pfSense firewall functions support traditional firewall, NAT, mark traffic flow, traffic shaping, scheduling based on time and even controlling based on IP reputation. |
| 3 | |
| 4 | == Aliases == |
| 5 | |
| 6 | Here we can create recognizable names/ placeholders to resources like IP addresses, Port numbers. This is useful in creating multiple firewall rules against one resource as if you need to change the resource it is just a single location that we need to modify. |
| 7 | |
| 8 | The name of an alias can be entered instead of the host, network or port where indicated. The alias will be resolved according to the list defined. If an alias cannot be resolved (e.g. because it was deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped. |
| 9 | |
| 10 | === Create IP Alias === |
| 11 | Go to Firewall > Aliases and click '''+ Add''' |
| 12 | • Name: wwwserver |
| 13 | • Description: Web Server |
| 14 | • Type: Host(s) |
| 15 | • IP or FQDN: 192.248.7.XYZ |
| 16 | • Add host |
| 17 | |
| 18 | and Save. If you click Add then it will allow you to add multiple IP addresses for a single name you will have multiple options for type as Hosts, Ports, Networks, or Urls to IP lists, port list |
| 19 | |
| 20 | • Name: wwwport |
| 21 | • Description: Web Server HTTP & HTTPS ports |
| 22 | • Type: Port(s) |
| 23 | • Port: 80 |
| 24 | • Add Port |
| 25 | • Port: 443 |
| 26 | and Save and Apply |
| 27 | If you select '''All''', you will find all aliases created. |
| 28 | |
| 29 | == Schedule == |
| 30 | |
| 31 | Schedules act as placeholders for time ranges to be used in firewall rules. |
| 32 | |
| 33 | To create a schedule, Go to Firewall > Schedules > '''+Add''' |
| 34 | |
| 35 | • Schedule Name: Office_Hours |
| 36 | • Description: Normal Office hours |
| 37 | • Date: click on Mon, Tue, Wed, Thu, Fri |
| 38 | • Time: 8.00 to 16.00 and click add time |
| 39 | • Save |
| 40 | |
| 41 | == Virtual IPs == |
| 42 | |
| 43 | To create NAT mappings we need to create a virtual IP. This acts as a secondary IP for the network of the interface it is configured. |
| 44 | As an example lets create a VIP to be NAT for your server. You may refer IP table reservation for your server Public IP |
| 45 | |
| 46 | Go to Firewall > Virtual IPs > ''' +Add ''' |
| 47 | • Type: IP Alias |
| 48 | • Interface: WAN |
| 49 | • Address: 192.248.7.XYZ and the mask (/) as 32 |
| 50 | • Description: Public IP for server |
| 51 | and Save |
| 52 | |
| 53 | == NAT == |
| 54 | Here we may create NATs based on Port Forward, one to one, outbound, NPT. |
| 55 | |
| 56 | We will focus on one to one NAT for workshop |
| 57 | |
| 58 | Go to Firewall > 1:1 > Add |
| 59 | • Interface: WAN |
| 60 | • External Subnet IP: 192.248.7.XYZ |
| 61 | • Internal IP: Single host 192.168.XY.1 |
| 62 | • Destination: Any |
| 63 | • Description: Public NAT |
| 64 | |
| 65 | == Rules == |
| 66 | |
| 67 | Lets allow http and https ports from outside |
| 68 | |
| 69 | Go to Firewall > Rules > WAN > Add to end |
| 70 | • Action: pass |
| 71 | • Interface: WAN |
| 72 | • Address Family: IPv4+IPv6 |
| 73 | • Protocol: TCP |
| 74 | • Source: Any |
| 75 | • Destination: Single host or Alias: wwwserver |
| 76 | • Destination Port: Custom: wwwport |
| 77 | • Log: ticked |
| 78 | • Description: Allow any to Web ports of wwwserver |
| 79 | Save |
| 80 | |
| 81 | For LAN side, by default web ports are enabled. If you need to allow any other port then, |
| 82 | |
| 83 | Go to Firewall > Rules > WAN > Add to top |
| 84 | • Action: pass |
| 85 | • Interface: LAN |
| 86 | • Address Family: IPv4+IPv6 |
| 87 | • Protocol: TCP |
| 88 | • Source: Single host or Alias: wwwserver |
| 89 | • Destination: Any |
| 90 | • Destination Port: SSH |
| 91 | • Log: ticked |
| 92 | • Description: Allow wwwserver to SSH outside |
| 93 | Save |
| 94 | |
| 95 | You may also add different Separators to define rule groups. |
| 96 | Click '''+ Separator''' Give a Name (eg: web) and a Color |
| 97 | You may drag and drop the separator by holding from its name. Also you may drag rules by holding from the rules '''Anchor''' mark |
| 98 | Once drag and Dropping finished click '''Save''' and '''Apply''' to complete the separation. |
| 99 | |
| 100 | == Traffic Shaper == |
| 101 | |
| 102 | By adding a traffic shaper you can control traffic queues with different filters. But creating a queue manually will be more advanced and the easiest way is to go through the wizard. |
| 103 | Go to Firewall > Traffic Shaper > Wizards > traffic_shaper_wizard_dedicated.xml |
| 104 | |
| 105 | * Enter Number of WAN type connections: 1 > Next |
| 106 | * Parameters: |
| 107 | * Local Interface: LAN |
| 108 | * Local Interface: PRIQ |
| 109 | * WAN Interface: WAN |
| 110 | * WAN Interface: PRIQ |
| 111 | * Upload: 10 Mbit/s |
| 112 | * Download 50 Mbits/s >> Next |
| 113 | * Voice over IP disabled >> Next |
| 114 | * Penalty Box >> Next ( for the lab we may not use penalty box, but you can try mentioning a single IP or an Alias to multiple IP's ) |
| 115 | * Peer to Peer Networking |
| 116 | * Enable |
| 117 | * p2pCatchAll: ticked |
| 118 | * Bandwidth: 2 % |
| 119 | * Enable P2P protocols >> Next |
| 120 | * Network Games: Disabled >> Next |
| 121 | * Other Networking Protocols: Disabled >> Next |
| 122 | * Finish |
| 123 | |
| 124 | This will refresh the state tables |
| 125 | . |
| 126 | If you go back to Traffic Shaper, you can tweak settings |
| 127 | |
| 128 | > Reference: https://www.netgate.com/docs/pfsense/trafficshaper/traffic-shaping-guide.html |