wiki:Cnbp2019/Agenda/pfSenseFirewall

Version 7 (modified by admin, 6 years ago) ( diff )

--

Firewall

pfSense firewall functions support traditional firewall, NAT, mark traffic flow, traffic shaping, scheduling based on time and even controlling based on IP reputation.

Aliases

Here we can create recognizable names/ placeholders to resources like IP addresses, Port numbers. This is useful in creating multiple firewall rules against one resource as if you need to change the resource it is just a single location that we need to modify.

The name of an alias can be entered instead of the host, network or port where indicated. The alias will be resolved according to the list defined. If an alias cannot be resolved (e.g. because it was deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.

Create IP Alias

Go to Firewall > Aliases and click + Add

  • Name: wwwserver
  • Description: Web Server
  • Type: Host(s)
  • IP or FQDN: 192.248.7.XYZ
  • Add host

and Save. If you click Add then it will allow you to add multiple IP addresses for a single name you will have multiple options for type as Hosts, Ports, Networks, or Urls to IP lists, port list

  • Name: wwwport
  • Description: Web Server HTTP & HTTPS ports
  • Type: Port(s)
  • Port: 80
  • Add Port
  • Port: 443

and Save and Apply If you select All, you will find all aliases created.

Rules

Lets allow http and https ports from outside

Go to Firewall > Rules > WAN > Add to end

  • Action: pass
  • Interface: WAN
  • Address Family: IPv4+IPv6
  • Protocol: TCP
  • Source: Any
  • Destination: Single host or Alias: wwwserver
  • Destination Port: Custom: wwwport
  • Log: ticked
  • Description: Allow any to Web ports of wwwserver

Save

For LAN side, by default web ports are enabled. If you need to allow any other port then,

Go to Firewall > Rules > WAN > Add to top

  • Action: pass
  • Interface: WAN
  • Address Family: IPv4+IPv6
  • Protocol: TCP
  • Source: Single host or Alias: wwwserver
  • Destination: Any
  • Destination Port: SSH
  • Log: ticked
  • Description: Allow wwwserver to SSH outside

Save

You may also add different Separators to define rule groups. Click + Separator Give a Name (eg: web) and a Color You may drag and drop the separator by holding from its name. Also you may drag rules by holding from the rules Anchor mark Once drag and Dropping finished click Save and Apply to complete the separation.

Schedule

Schedules act as placeholders for time ranges to be used in firewall rules.

To create a schedule, Go to Firewall > Schedules > +Add

  • Schedule Name: Office_Hours
  • Description: Normal Office hours
  • Date: click on Mon, Tue, Wed, Thu, Fri
  • Time: 8.00 to 16.00 and click add time
  • Save

Virtual IPs

To create NAT mappings we need to create a virtual IP. This acts as a secondary IP for the network of the interface it is configured. This is an Example, we will create Virtual IPs for the Lab setup later.

Go to Firewall > Virtual IPs > +Add

  • Type: IP Alias
  • Interface: WAN
  • Address: 192.248.7.XYZ and the mask (/) as 32
  • Description: Public IP for server

and Save

NAT

Here we may create NATs based on Port Forward, one to one, outbound, NPT.

We will focus on one to one NAT for workshop. We will also create NAT mappings for Lab setup later.

Go to Firewall > 1:1 > Add

  • Interface: WAN
  • External Subnet IP: 192.248.7.XYZ
  • Internal IP: Single host 192.168.XY.1
  • Destination: Any
  • Description: Public NAT

Configuring NAT Mapping for our Lab Setup

In our Lab setup We have Monitoring server and Web server that need to be accessed from outside. But they are assign private IPs. To access those servers from outside we need to create NAT mapping and their relevant Virtual IPs shown as above. After adding NAT mappings we will also need to create rules to allow network traffic to those servers from outside.

Let us add a VIP and NAT mapping for Monitoring server.

Go to Firewall > Virtual IPs > +Add

  • Type: IP Alias
  • Interface: WAN
  • Address: 192.248.7.XYZ and the mask (/) as 32
  • Description: Public IP for Monitoring server

and Save

Go to Firewall > 1:1 > Add

  • Interface: WAN
  • External Subnet IP: 192.248.7.XYZ
  • Internal IP: Single host 10.XY.5.10
  • Destination: Any
  • Description: NAT_Monitoring

Lets allow http ports from outside

Go to Firewall > Rules > WAN > Add to end

  • Action: pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP
  • Source: Any
  • Destination: Single Host, Enter 10.XY.5.10/32
  • Destination Port: HTTP(80)
  • Log: ticked
  • Description: Allow any to Web ports of Monitoring server

Save

Lets allow ICMP(ping) traffic from outside

Go to Firewall > Rules > WAN > Add to end

  • Action: pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: ICMP
  • Source: Any
  • Destination: Single Host, Enter 10.XY.5.10/32
  • Destination Port: any
  • Log: ticked
  • Description: Allow Ping to Monitoring server

Save

Now we will add a VIP and NAT mapping for our Web server.

Go to Firewall > Virtual IPs > +Add

  • Type: IP Alias
  • Interface: WAN
  • Address: 192.248.7.XYZ and the mask (/) as 32
  • Description: Public IP for Web server

and Save

Go to Firewall > 1:1 > Add

  • Interface: WAN
  • External Subnet IP: 192.248.7.XYZ
  • Internal IP: Single host 192.168.XY.100/32
  • Destination: Any
  • Description: NAT_Web

Lets allow http ports from outside

Go to Firewall > Rules > WAN > Add to end

  • Action: pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP
  • Source: Any
  • Destination: Single Host, Enter 192.168.XY.100/32
  • Destination Port: HTTP(80)
  • Log: ticked
  • Description: Allow any to Web ports of Web server

Save

Traffic Shaper

By adding a traffic shaper you can control traffic queues with different filters. But creating a queue manually will be more advanced and the easiest way is to go through the wizard. Go to Firewall > Traffic Shaper > Wizards > traffic_shaper_wizard_dedicated.xml

  • Enter Number of WAN type connections: 1 > Next
  • Parameters:
    • Local Interface: LAN
    • Local Interface: PRIQ
    • WAN Interface: WAN
    • WAN Interface: PRIQ
    • Upload: 10 Mbit/s
    • Download 50 Mbits/s >> Next
  • Voice over IP disabled >> Next
  • Penalty Box >> Next ( for the lab we may not use penalty box, but you can try mentioning a single IP or an Alias to multiple IP's )
  • Peer to Peer Networking
    • Enable
    • p2pCatchAll: ticked
    • Bandwidth: 2 %
    • Enable P2P protocols >> Next
  • Network Games: Disabled >> Next
  • Other Networking Protocols: Disabled >> Next
  • Finish

This will refresh the state tables . If you go back to Traffic Shaper, you can tweak settings

Reference: ​https://www.netgate.com/docs/pfsense/trafficshaper/traffic-shaping-guide.html

Note: See TracWiki for help on using the wiki.