Version 2 (modified by 6 years ago) ( diff ) | ,
---|
Firewall
pfSense firewall functions support traditional firewall, NAT, mark traffic flow, traffic shaping, scheduling based on time and even controlling based on IP reputation.
Aliases
Here we can create recognizable names/ placeholders to resources like IP addresses, Port numbers. This is useful in creating multiple firewall rules against one resource as if you need to change the resource it is just a single location that we need to modify.
The name of an alias can be entered instead of the host, network or port where indicated. The alias will be resolved according to the list defined. If an alias cannot be resolved (e.g. because it was deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.
Create IP Alias
Go to Firewall > Aliases and click *+ Add*
- Name: wwwserver
- Description: Web Server
- Type: Host(s)
- IP or FQDN: 10.XY.1.1
- Add host
- IP : 2401:dd00:xxxx
and Save. If you click Add then it will allow you to add multiple IP addresses for a single name
you will have multiple options for type as Hosts, Ports, Networks, or Urls to IP lists, port list
- Name: wwwport
- Description: Web Server HTTP & HTTPS ports
- Type: Port(s)
- Port: 80
- Add Port
- Port: 443
and Save and Apply
If you select All, you will find all aliases created.
Schedule
Schedules act as placeholders for time ranges to be used in firewall rules.
To create a schedule, Go to Firewall > Schedules > +Add
- Schedule Name: Office_Hours
- Description: Normal Office hours
Virtual IPs
To create NAT mappings we need to create a virtual IP. This acts as a secondary IP for the network of the interface it is configured.
As an example lets create a VIP to be NAT for your server. You may refer IP table reservation for your server Public IP
Go to Firewall > Virtual IPs > +Add
- Type: IP Alias
- Interface: WAN
- Address: 192.248.7.z / 32
- Description: Public IP for server
and Save
NAT
Here we may create NATs based on Port Forward, one to one, outbound, NPT.
We will focus on one to one NAT for workshop
Go to Firewall > 1:1 > Add
- Interface: WAN
- External Subnet IP: 192.248.7.z
- Internal IP: Single host 10.XY.1.1
- Destination: Any
- Description: Public NAT
Rules
Lets allow http and https ports from outside
Go to Firewall > Rules > WAN > Add to end
- Action: pass
- Interface: WAN
- Address Family: IPv4+IPv6
- Protocol: TCP
- Source: Any
- Destination: Single host or Alias: wwwserver
- Destination Port: Custom: wwwport
- Log: ticked
- Description: Allow any to Web ports of wwwserver
Save
For LAN side, by default web ports are enabled. If you need to allow any other port then,
Go to Firewall > Rules > WAN > Add to top
- Action: pass
- Interface: LAN
- Address Family: IPv4+IPv6
- Protocol: TCP
- Source: Single host or Alias: wwwserver
- Destination: Any
- Destination Port: SSH
- Log: ticked
- Description: Allow wwwserver to SSH outside
Save
You may also add different Separators to define rule groups.
Click + Separator Give a Name (eg: web) and a Color
You may drag and drop the separator by holding from its name. Also you may drag rules by holding from the rules Anchor mark
Once drag and Dropping finished click Save and Apply to complete the separation.