PFsense homelab firewall – Part3

Shares
HomeLab network topology:
  • LAN01 – isolated network (behind firewall) – 192.168.137.X/24 – LAN interface on firewall
  • GW01 – open network – 192.168.1.X/24 – WAN interface (it is my home network)
  • 192.168.137.100 – firewall IP in LAN network
  • 192.168.1.100 – firewall IP in WAN network
  • 192.168.137.10 – vCenter server

After PFSense homelab firewall – Part1 and PFSense homelab firewall – Part2

Is a time to do some basic configuration,

In a first instance add route into workstation which you are working from to reach network behind firewall\router. Below example how to add route on Linux system.

artur@laptop01:~$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         o2.box          0.0.0.0         UG    0      0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
artur@laptop01:~$ sudo route add -net 192.168.137.0 netmask 255.255.255.0 gw 192.168.1.100 dev wlan0
artur@laptop01:~$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         o2.box          0.0.0.0         UG    0      0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
192.168.137.0   192.168.1.100   255.255.255.0   UG    0      0        0 wlan0
artur@laptop01:~$
Add alias to firewall

Aliases makes easier to mange firewall rules.

  • Go to Firewall – Alias – Add alias
Add alias in firewall

Add alias in firewall

Remove FW rule which blocks private networks.

By default on pfSense has  rule on firewall which blocks all traffic from private IP addresses which comes from WAN interface. In my configuration WAN interface is not exposed to internet and all traffic are from local networks. Go to Interface –> WAN and uncheck Block private networks.

enable traffic from local networks on WAN interface

enable traffic from local networks on WAN interface

Add FW rule to pass by all traffic from WAN to LAN
  • Go to Firewall – Rules -WAN tab – Add rule button
IP FW rule pfsense

IP FW rule pfsense

  • Save and apply changes
artur@laptop01:~$ ping 192.168.137.200
PING 192.168.137.200 (192.168.137.200) 56(84) bytes of data.
64 bytes from 192.168.137.200: icmp_req=92 ttl=127 time=5.31 ms
64 bytes from 192.168.137.200: icmp_req=93 ttl=127 time=3.67 ms
64 bytes from 192.168.137.200: icmp_req=94 ttl=127 time=3.84 ms
64 bytes from 192.168.137.200: icmp_req=95 ttl=127 time=1.84 ms
^C
--- 192.168.137.200 ping statistics ---
95 packets transmitted, 4 received, 95% packet loss, time 94734ms

If it works, remove ANY-ANY rule and create custom rule, for example, RDP service to vCenter server

  • Go to Firewall – Rules -WAN tab – Add rule button
  • provide necessary information
  • save and apply configuration

list of firewall rules pfsense

0 0 votes
Article Rating

Artur Krzywdzinski

Artur is Consulting Architect at Nutanix. He has been using, designing and deploying VMware based solutions since 2005 and Microsoft since 2012. He specialize in designing and implementing private and hybrid cloud solution based on VMware and Microsoft software stacks, datacenter migrations and transformation, disaster avoidance. Artur holds VMware Certified Design Expert certification (VCDX #077).

You may also like...

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x

FOR FREE. Download Nutanix port diagrams

Join our mailing list to receive an email with instructions on how to download 19 port diagrams in MS Visio format.

NOTE: if you do not get an email within 1h, check your SPAM filters

You have Successfully Subscribed!

Pin It on Pinterest