PFsense homelab firewall – Part3

HomeLab network topology:

• LAN01 – isolated network (behind firewall) – 192.168.137.X/24 – LAN interface on firewall
• GW01 – open network – 192.168.1.X/24 – WAN interface (it is my home network)
• 192.168.137.100 – firewall IP in LAN network
• 192.168.1.100 – firewall IP in WAN network
• 192.168.137.10 – vCenter server

After PFSense homelab firewall – Part1 and PFSense homelab firewall – Part2

Is a time to do some basic configuration,

In a first instance add route into workstation which you are working from to reach network behind firewall\router. Below example how to add route on Linux system.

artur@laptop01:~$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         o2.box          0.0.0.0         UG    0      0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
artur@laptop01:~$ sudo route add -net 192.168.137.0 netmask 255.255.255.0 gw 192.168.1.100 dev wlan0
artur@laptop01:~$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         o2.box          0.0.0.0         UG    0      0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
192.168.137.0   192.168.1.100   255.255.255.0   UG    0      0        0 wlan0
artur@laptop01:~$

Add alias to firewall

Aliases makes easier to mange firewall rules.

• Go to Firewall – Alias – Add alias

Add alias in firewall

Remove FW rule which blocks private networks.

By default on pfSense has  rule on firewall which blocks all traffic from private IP addresses which comes from WAN interface. In my configuration WAN interface is not exposed to internet and all traffic are from local networks. Go to Interface –> WAN and uncheck Block private networks.

enable traffic from local networks on WAN interface

Add FW rule to pass by all traffic from WAN to LAN

• Go to Firewall – Rules -WAN tab – Add rule button

IP FW rule pfsense

• Save and apply changes

artur@laptop01:~$ ping 192.168.137.200
PING 192.168.137.200 (192.168.137.200) 56(84) bytes of data.
64 bytes from 192.168.137.200: icmp_req=92 ttl=127 time=5.31 ms
64 bytes from 192.168.137.200: icmp_req=93 ttl=127 time=3.67 ms
64 bytes from 192.168.137.200: icmp_req=94 ttl=127 time=3.84 ms
64 bytes from 192.168.137.200: icmp_req=95 ttl=127 time=1.84 ms
^C
--- 192.168.137.200 ping statistics ---
95 packets transmitted, 4 received, 95% packet loss, time 94734ms

If it works, remove ANY-ANY rule and create custom rule, for example, RDP service to vCenter server

• Go to Firewall – Rules -WAN tab – Add rule button
• provide necessary information
• save and apply configuration