nguvu

pfSense baseline guide with VPN, Guest and VLAN support

Last revised 29 August 2017.

Preface

As this is a newly updated guide, I would welcome feedback on any bugs or areas you think require further explanation or clarification. Please email me here.

Introduction

With the release of pfSense v2.4 I wanted to take the opportunity to update and pivot my guide towards being a foundational piece in a series of guides aimed at helping users create a SOHO system capable of self-hosting numerous services and supporting migration away from cloud providers to take ownership of their own data.

Although my baseline configuration remains largely as before, there are a few areas I’ve improved due to increased knowledge or as a result of the pfSense 2.4 release. I continue to welcome feedback on any issues, bugs or areas you think require further explanation or clarification. The email link is also at the bottom of the page.

Some major areas which have been updated in this version of the guide include:

To understand more about changes in pfSense 2.4, please review Netgate’s new features and changes list.

Connectivity overview

My internet connection is still 150/150mbps provided by FiOS and the Rangeley C2758f based motherboard has continued to handle that adequately. Running several OpenVPN connections and some network intrusion detection software I usually see processor utilisation hover around 35%. This machine is equipped with 16GB which is pretty much overkill, 8GB would be most likely be sufficient. This machine is fitted with a Chelsio T520-CR 10gig capable network card which provides a trunk link to a Cisco SG-500x switch.

Subnets

Although this guide focuses on building out the core local area networks (VPN, clearnet, guest and management), I’ve provided some additional details here as to the rest of my VLANs setup for context.

Unencrypted ‘clearnet’

Used for general purpose surfing when an encrypted line isn’t a requirement.

General secure VPN

Primary LAN network where all traffic which exits is encrypted via OpenVPN and exits to the internet via one of several AirVPN end points.

Private VPN

I have another OpenVPN server which is used primarily to access some restricted servers for work purposes.

Guest network

Effectively this exposes my native unencrypted unsecured ISP line complete with ISP DNS servers. Used primarily by visitors who require internet access but also acts as a backup in case AirVPN goes down for any reason. Firewall prevents access to all local resources such as file servers etc.

Management network

Used for native hardware access to devices such as Unifi access points as well as interfaces intended to be utilised only by an admin user, for example, IPMI management consoles, SNMP monitoring interfaces on headless servers etc.

Security cameras

Subnet which various security cameras are connected to. This line is heavily firewalled to prevent anyone from attempting to gain access to my home network via compromising an external cable or hacking of a camera. A Windows Server 2016 VM running Blue Iris sits on this VLAN ensuring that the camera traffic does not need to be routed by pfSense reducing routing requirements.

Multiple DMZ’s

I run several DMZ subnets to provide isolated, de-restricted zones for numerous clients and servers which need to be accessed remotely, for example FiOS TV, Kodi video player, Plex/Emby, Game consoles, VoIP devices and several game servers.

Still AirVPN?

I’m still using AirVPN as my primary VPN provider, downtime is rare and performance on the whole is still excellent. There are a number of VPN providers on the market but the reasons why I originally went with AirVPN are still valid today, i.e :

I found AirVPN speeds were best in class when I benchmarked a few of the other highly ranked providers. I’ve been with AirVPN for several years now and have suffered little downtime. If you haven’t got an Air VPN subscription, you can take out a subscription here.

Topology

The following diagram illustrates the basic network topology of my network.

I had my Verizon ONT converted from the original coaxial cable to a Cat5 cable by Verizon which allowed me to connect my pfSense box directly to Verizons network without needing to utilising their modem for anything other than enabling some TV set top box functionality. The cost of the conversion is free if you upgrade to a 150mbps service or above.
A managed switch is required to support reliable VLAN use and also provides additional ports to use multiple wifi access points to provide whole home coverage for wifi devices. I’ve listed a few cost effective managed switch options in the hardware section below.

Topology

Hardware selection

Although it is possible to build a pfSense router from pretty much any old hardware, I wanted to build something which was powerful enough to handle VPN encryption on a 150mbps+ connection with minimal latency and headroom to spare to run additional security and packet filtering packages like Snort/Suricata and pfBlockerNG. I also plan on this router being in production use for a number of years so wanted to ensure it was able to manage future internet requirements as greater bandwidth availability increases.

I’m currently using the following hardware in my pfSsense box.

A managed switch is required to provide support for the VLANs. The following are suitable options and many are available on Ebay cheaply. Look for 802.1Q support which is the ability to apply VLAN tags to traffic.

MikroTik RB260GS available for around $40. Accompanying VLAN Config guide here
NETGEAR ProSAFE GS108E available for around $50. Accompanying VLAN Config guide here
Cisco sg300-10 available for around $130.

If you expect to have multiple heavily used subnets you may wish to consider looking for a switch which offers a 10gbe uplink port as this facilitates a larger trunk connection to the pfsense router and corresponding higher throughput.

You don’t need to use multiple Unifi access points, each one provides all the VLANs needed however depending on the size of the property you are trying to provide wifi access to, additional APs may be beneficial.

Install pfSense

Download and create bootable pfSense USB based installer

Download 2.4 from the Daily Snapshots section here.

I downloaded and used the 64bit AMD64 Live CD/Installer ISO which I burned to a 2GB+ USB stick with Win32 disk Imager.

Set BIOS settings to enable pfSense to install

To reduce complexity and avoid any potential compatibility issues I recommend disabling unneeded features within the BIOS.

Boot

Insert the USB stick in an available USB port and boot the system from the USB stick. You may need the boot options (F11) or use the Boot menu in the BIOS to set appropriately. This menu will time out after a few seconds and select option 1 on your behalf.

Boot
Boot

Install

The first screen you will be presented with gives you the chance to boot to the Rescue Shell or launch the installer, select Install.

Install
Install

Keymap selection

Select the required keymap, I used the default keymap. Verified first with the Test default keymap option.

Select keymap
Select keymap

Install on ZFS partition

A change introduced with pfSense 2.4 is the option to use ZFS partitions. Using a mirrored pair of SSD’s for this install provides data redundancy in case of a single drive failure. This should not be considered a backup and is not a replacement for a proper backup strategy for your pfSense configuration.

Select the Auto (ZFS) option.

Select ZFS partition format
Select Auto-ZFS

…change the ZFS Pool type to Mirrored.

Select mirrored format
Select mirrored format

You will then be presented with an option to select the pair of disk drives you wish to use for this partition, I’ve selected ssd1 and ssd2 here as indicated by the * next to them.

Select disks
Select hard disks

Verify your settings are correct and as you intended, here are my settings.

Verify ZFS settings
Verify ZFS settings
Note: If you decide to encrypt your volume, please make sure to remember the password as it is unrecoverable. Also worth noting is the system will not boot until you enter this password at power on so think about the implications of that before enabling.

Select Proceed with Installation when satisfied.

Its possible to configure regular scrubs of these disks to ensure reliable long-term operation and email notifications should the array develop any health issues.

Installation will take a short while… once installation has finished you will be prompted to make final manual adjustments, say ‘no’ and on the following screen select Reboot.

Reboot
Reboot

Initial Configuration

Your pfSense machine should now proceed to boot from the fresh install. After a short while of you should see a option page which looks something like this.

First boot
First boot

By default the installer configures the first NIC as the WAN port obtaining an address via DHCP from your ISP. The second NIC will be configured as your local LAN interface at 192.168.1.1. There’s a DHCP server running on this interface so if you connect your PC to this port you should receive an IP address which will allow us to access the pfSense web configurator to continue our configuration.

First login

Open a browser and enter http://192.168.1.1 into the address bar, you should be presented with a login screen as shown below. If this doesn’t work, validate the IP address space your PC is using is in the same range as pfSense’s local interface.

First login
First login

To login, enter the username ‘admin’ and the password ‘pfsense’.

pfSense wizard setup

Wizard
Wizard Setup

The configuration wizard will guide you through the initial configuration steps.
Select next to begin.

Bling your pfsense with pfSense gold

Wizard
Wizard Setup

You’ll be offered the chance to purchase a pfSense gold subscription which offers benefits including autobackup, regular video hangouts and probably most importantly, the definitive guide book which is a great resource.
Select ‘next’ to continue.

General Information

Wizard
Wizard Setup

Configure this screen as specified below. We’ll use the OpenDNS servers for initial DNS resolution.

Configure NTP

Wizard
Wizard Setup

The default Time server hostname is usually correctly specified but make sure to set the Timezone to your own specific location.

Configure WAN Interface

Wizard
Wizard Setup

Configure this page as follows. Most of these options will remain as default, i.e empty.

Configure WAN Interface

General Configuration

Staic IP Address

DHCP client configuration

PPPoE configuration

PPTP configuration

RFC1918 networks

Block BOGON networks

Select next to continue.

Configure LAN Interface

Wizard
Wizard Setup

You can give your LAN interface a specific address here if needed. Leave it as 192.168.1.1 for now.

Select Next to continue.

Set Admin WebGUI Password

Wizard
Wizard Setup

Select a srong password to protect unauthorised access to the web interface.

Select Next to continue.

Enter the dashboard…

Wizard
Wizard Completed

Click the ‘Here’ to enter pfsense webConfigurator and you’ll be presented with the main dashboard where we’ll configure the rest of the system from.

Wizard
Initial pfSense dashboard

Admin access configuration

We will set up some general configuration options first, using the menu bar at the top of the page.

Navigate to System > Advanced > Admin Access

Web Configurator

In the previous 2.3 guide I reallocated the web configurator to HTTPS on port 445, there’s little benefit to security via this trivial obscurity and without any other services running on port 443, I now leave the configurator access as default on HTTPS/443. There are some other options we should configure here though.

We can disable the systems default anti-lockout rule as we will create our own during the firewall setup.

Secure Shell

Enable SSH access to pfSense which we will make use of later.

Web configurator configuration
Web configurator configuration

At this point you will be logged out and back in again, the banner will display a red warning sign indicating pfSense has created SSH keys. Click on ‘Mark all as read’ to remove the warning.

Firewall/NAT configuration

Navigate to System > Advanced > Firewall/NAT

Firewall Advanced

Bogon Networks

Miscellaneous configuration

Navigate to System > Advanced > Miscellaneous

Power Savings

Cryptographic Hardware Acceleration

ONLY if you are using an Intel processor select the following. Alternative options are available if you happen to be using an AMD processor or your processor doesn’t offer any hardware acceleration.

Setup Interfaces

Setup VLAN Interfaces

We need to identify a parent interface before we start configuring VLANs, the parent interface refers to the physical interface where the VLANs will reside, e.g igb3 or ix0. Due to inconsistent behaviour with some NICs, you should not assign your parent interface to any interface in pfSense. Its sole function is to act as the parent interface to the VLANs we create.

Navigate to Interfaces > Assignments and select VLANs

Create Management VLAN

Click ‘+’
Parent Interface: Your preferred parent interface, in my case, em2
VLAN Tag: 10
VLAN Priority: 0
Description: VL10_MGMT
Save

Create VPN LAN Interface

Click ‘+”
Parent Interface: Your preferred parent interface
VLAN Tag: 20
VLAN Priority: 0
Description: VL20_VPN
Save

Create CLEARNET LAN Interface

Click ‘+”
Parent Interface: Your preferred parent interface
VLAN Tag: 30
VLAN Priority: 0
Description: VL30_CLRNET
Save

Create Guest VLAN

Click ‘+”
Parent Interface: Your preferred parent interface
VLAN Tag: 40
VLAN Priority: 0
Description: VL40_GUEST
Save

Once complete your VLAN Interfaces should look like this

VLAN Interfaces
VLAN Interfaces

Add VLANs to available Interfaces

Navigate to Interfaces > Assignments

Select ‘VLAN10 on em2’ from the available network ports
Click ‘Add’

Select ‘VLAN20 on em2’ from the available network ports
Click ‘Add’

Select ‘VLAN30 on em2’ from the available network ports
Click ‘Add’

Select ‘VLAN40 on em2’ from the available network ports
Click ‘Add’

Your interface page should now look something like this. Note the parent interface (in my example, em2) remains unassigned.

Interface assignments
Interface assignments

Set IP address for each VLAN interface

I like to match the third octet of my IP address to the VLAN ID as this makes remembering which is which easier, so VLAN id 10 = 192.168.10.0

VL10_MGMT Interface

Navigate to Interfaces > Assignments

Click on the label next to ‘VLAN10_MGMT’, its likely to be ‘OPT1’
Configure this interface as follows:-

General Configuration

Static IPv4 configuration

Private Networks

Verify your settings against the image below and Click Save & Apply changes.

VL10_MGMT interface
VL10_MGMT interface

VL20_VPN Interface

Navigate back to Interfaces > Assign and configure the VL20_VPN interface by clicking on the label next to the VL20_VPN network port. We’ll configure this similarly to the VL10_MGMT Interface except we’ll give it a unique name and IP address.

General Configuration

Static IPv4 configuration

Click Save & Apply changes.

VL30_CLRNET Interface

Navigate back to Interfaces > Assign and configure the VL30_CLRNET interface by clicking on the label next to the VL30_CLRNET network port. We’ll configure this similarly to the VL10_MGMT Interface except we’ll give it a unique name and IP address.

General Configuration

Static IPv4 configuration

Click Save & Apply changes.

VL40_GUEST Interface

Navigate back to Interfaces > Assign and configure the VL40_GUEST interface by clicking on the label next to the VL40_GUEST network port. We’ll configure this similarly to the VL10_MGMT Interface except we’ll give it a unique name and IP address.

General Configuration

Static IPv4 configuration

Click Save & Apply changes.

Setup DHCP per interface

I like to set each interface to use x.x.x.100-199 for dynamic addresses and reserve x.x.x.10-99 for static allocations. Depending on the number of devices in your network you may need to adjust this to suit.

Navigate to Services > DHCP Server

Select VL10_MGMT tab and set the DHCP server as follows:-

Verify your settings against the image below (I only display the general options below as the rest are default) and then click Save & Apply

VL10_MGMT DHCP configuration
VL10_MGMT DHCP configuration

No we’ll set up the rest of the interfaces. Select VL20_VPN tab and set the DHCP server as follows:-

Select VL30_CLRNET tab and set the DHCP server as below.

Select VL40_GUEST tab and set the DHCP server as below. For my guest network, I override the default firewall DHCP servers with my ISP’s DNS servers. Substitute these entries for your own ISPs servers.

NTP Server

My complete network is synced to my pfSense router with the exception of devices on the guest network which are permitted to go external for time sources.

Navigate to Services > NTP

This is how your NTP server should look.

NTP configuration
NTP configuration

Generate AirVPN certificates

Now we’ll generate our required AirVPN certificates. Open a browser and go to airvpn.org, sign into your account and then navigate to Client Area > Config Generator and enter the following settings.

AirVPN Certificate export
AirVPN Certificate export

Download the certificates to your local machine. Either download one of the packed archives, or download the separate files and extract. We will use these 4 certs and .ovpn config file to configure the OpenVPN client in pfSense in the next step.

Create AirVPN Certificate Authority

Back in pfSense’s GUI, we’ll create the Certificate Authority first.
Navigate to System > Cert Manager > CAs

AirVPN CA
AirVPN CA

This is what the certificate authority should look like once you’ve added it

AirVPN CA summary
AirVPN CA summary

Add AirVPN certificate.

Navigate to System > Cert Manager and select certificates

AirVPN certificate
AirVPN certificate

This is what the certificate authority page should look like once you’ve added it

AirVPN certificates
AirVPN certificates

Create VPN connection

AirVPN are still upgrading their servers, at the time of writing, not all of them are running 2.4.x. OpenVPN 2.4.x added AES-GCM crypts which are not available if you are using a server running 2.3.x. All of the UK servers are running 2.3.x, Los Angeles servers are 2.3.x but Dallas are 2.4.x. In this guide we’ll create the ability for our OpenVPN client to negotiate with the AirVPN server and select the best crypt possible. If you want to check log into AirVPN and click on a server under the status menu, it will display what version of OpenVPN it is running.

Navigate to VPN > OpenVPN and select Clients

General Information

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

AirVPN cryptographic settings
AirVPN cryptographic settings

Assign OpenVPN interface

We’ll now assign the OpenVPN interface we just created to a pfSense interface.

Navigate to Interfaces > Assignments

AirVPN interface
AirVPN interface

Set up the interface as follows:

AirVPN interface
AirVPN interface

Setup AirVPN Gateway

Its not possible to rename the default gateway but we can create a new interface based on the system one, call that one what we want, and then delete the original gateway.

Navigate to System > Routing.

Click on ‘+Add’.

The 10.4.0.1 is the AirVPN DNS server for port 443 UDP access. For reference, the other DNS servers are listed here at the bottom of the page.

AirVPN gateway
AirVPN gateway

After applying the new gateway configuration, the Gateway summary should look like this

AirVPN gateway summary
AirVPN gateway summary

Preventing IP address leaks

This is an important step required to reduce the chance of leaks in the event the VPN goes down for any reason.

Navigate to System > Advanced and select Miscellaneous. Scroll down to Gateway Monitoring and set the following

Gateway monitoring
Gateway monitoring

DNS Configuration

One of the biggest changes to my system since creating the 2.3 guide is to my DNS resolution setup. I now make use of 3 sets of DNS servers.

In general my system is designed to

To support this feature set, all local devices will be set to use the pfSense router as their sole DNS server. Cached or local names found in the DNS Resolver will be returned to the client and unknown lookups will be forwarded to either OpenDNS or the root nodes via the AirVPN tunnel. Results returned will be cached for future reference.

To reduce any leaks, I lock down the Resolver to the VPN_WAN interface. If the VPN connection goes down, DNS lookups wont be possible and this is why I provide the guest and clrnet networks as a backup on the rare occasions AirVPN goes down. Its possible to setup multiple simultaneous connections to AirVPN which provide further redundancy and is covered in another guide.

I think this is a good compromise between providing the required functionality and security. I’ve spent time verifying there are no leaks with this setup but there are no guarantees given - please do your own testing.

VL40_GUEST is not added to the interfaces selection as devices on that subnet do not utilise the DNS Resolver or Forwarder to resolve names but instead directly access the DNS servers as awarded from the DHCP server.

DNS Resolver

First lets configure the DNS Resolver, navigate to Services > DNS Resolver > General Settings

DNS Resolver
DNS Resolver

Navigate to Services > DNS Resolver > Advanced Settings

DNS Forwarder

The DNS Forwarder used the servers configured during installation which can be edited if necessary under System > General Setup.

Navigate to Services > DNS Forwarder

Under domain overrides, click ‘+add’ to create forwarder for local lookups

Click Save

DNS Forwarder Domain Override
DNS Forwarder Domain Override

when done, the complete DNS Forwarder should look like this

DNS Forwarder
DNS Forwarder

As clients perform DNS lookups on port 53, we need to create a port forward to enable clients on the VL30_CLRNET subnet to utilise the DNS Forwarder that is listening on port 5353.

Navigate to Firewall > NAT

Click Add

Click Save & Apply changes

The redirect entry should look like this

DNS Forwarder rule
DNS Forwarder rule

and the port forward page,

DNS port forward summary
DNS port forward summary

Update General DNS settings

Navigate to System > General Setup

Ensure the following are set correctly

It should look like this when finished

DNS server settings
DNS server settings

Verify DNS functionality

Its worth verifying that basic DNS lookups work before we complicate matters by introducing the VPN DNS server.

Navigate to Diagnostics > DNS Lookup

You should see an IP address returned as well as the time taken to receive the response from the servers configured in the System > General setup page.

DNS check
DNS check

Set up outgoing NAT for LAN & localhost

NAT is needed to convert your private local IP addresses to the global registered address space. We’ll set this up for both our WAN and VPN_WAN gateways now. Specifically we will enable functionality to allow

Navigate to Firewall > NAT and select Outbound

A number of rules will be created automatically. Delete any with ‘500’ in the Destination Port column as we won’t need these and it will keep things clear and simple.

Edit ‘localhost to WAN’ NAT

Click the pencil icon next to 127.0.0.0 / 8 line to edit it.

Edit ‘LAN to WAN` NAT

Click the pencil icon next to auto created LAN rule line to edit it

Edit ‘VL10_MGMT to WAN` NAT

Click the pencil icon next to Auto created VL10_MGMT rule line to edit it

Edit ‘VL20_VPN to WAN’ NAT

Click the pencil icon next to Auto created VL20_VPN rule line to edit it

Edit ‘VL30_CLRNET to WAN’ NAT

Click the pencil icon next to Auto created VL30_CLRNET rule line to edit it

Edit ‘VL40_GUEST to WAN’ NAT

Click the pencil icon next to Auto created VL40_GUEST rule line to edit it

Setup ‘VL20_VPN to VPN_WAN’ gateway access

Click ‘Add bottom’

When you are complete your NAT translation table should look like the image below

Outbound NAT
Outbound NAT

Create Aliases for firewall rules

We are going to create a few aliases which we will use in the creation of the firewall rules later. These simplify the job of making changes in future especially as we add more interfaces and functionality to our network.

Define local subnets

First we will create an alias to define the internal subnets.
Navigate to Firewall > Aliases > IP

Local subnet alias
Local subnet alias

Define SELECTIVE_ROUTING addresses

We’ll make use of this alias to specify traffic which should leave the VPN subnet via the default WAN gateway. This alias creates an empty placeholder list for now.

Navigate to Firewall > Aliases > IP

Define administration / anti-lockout ports

We will create a list to define which ports administration traffic flows on, we will allow these ports with a dedicated rule on key interfaces later to ensure we don’t lock ourselves out when configuring the firewall. Make sure these ports match the ones you set earlier on the Advanced > Admin Access page for HTTPS and SSH access.

Note: This alias used to be called ANTI_LOCKOUT in my earlier 2.3 guide.

Navigate to Firewall > Aliases > Ports

Define ports allowed to communicate between internal subnets

We will create a list of ports to define what traffic is permitted to traverse between local subnets. You will need to amend this alias as per your own networks requirements but this should get you started. Reviewing the Firewall logs will illustrate which ports are being blocked, if any.

Navigate to Firewall > Aliases > Ports

Define ports allowed to access the internet

We will create a list of ports to define what is allowed to access the internet. You will need to amend this as per your own networks requirements.
Again, if any programs or services you use stop working, check the firewall logs to see if there are any blocked ports being reported.

Navigate to Firewall > Aliases > Ports

Setup Firewall Rules

Firewall are critical component of securing your network and its worth double checking you have this section set up correctly. Errors here could expose your network to unwanted intruders. I split my IPv4 and IPv6 default blocks out currently but you could combine them into a single rule if you prefer. The order of the rules is important as they are processed from top to bottom. I’ve added images of each interface so you can verify your rules have been created and ordered correctly.

First we will set up the WAN interface. With no rules, all inbound traffic is blocked by default but isn’t logged. We will add a catch all rule that prevents and more importantly logs inbound traffic so we can be aware of who may be trying to gain access.

WAN rules

Navigate to Firewall > Rules > WAN

Your WAN interface should look this this when done. (I’ve added some separators to provide notes and aid readability, they aren’t a requirement though so feel free to omit if you prefer)

WAN rules
WAN rules

VPN_WAN rules

Now we will create similar block rules on the VPN_WAN interface to prevent and log any unwanted ingress.

Navigate to Firewall > Rules > VPN_WAN and create the following rules:

A rule to block and log IPv4 traffic

and a rule to block IPv6 traffic

Your VPN_WAN interface should look this this when done.

VPN_WAN rules
VPN_WAN rules

VL10_MGMT rules

My management interface requirements are:

I’ve added some images in to help illustrate the correct way to complete the fields of the rule sheet.

Navigate to Firewall > Rules > VL10_MGMT and create the following rules:

Create anti-lockout rule.

VL10_MGMT Anti-lockout rule
VL10_MGMT Anti-lockout rule

Create allow ICMP ‘ping’ debugging from management interface rule.

VL10_MGMT allow ping rule
VL10_MGMT allow ping rule

Create allow local traffic from management interface to all other subnets rule.

VL10_MGMT allow local subnets rule
VL10_MGMT allow local subnets rule

Create allow traffic from management interface to Internet rule

We identify traffic destined for the internet as to an interface which is NOT a LOCAL_SUBNETS.

VL10_MGMT allow WAN rule
VL10_MGMT allow WAN rule

Create reject any NTP traffic destined for anywhere except pfSense gateway rule

VL10_MGMT reject non local NTP rule
VL10_MGMT reject non local NTP rule

Create block unknown IPv4 rule

Create block unknown IPv6 rule

Your VL10_MGMT interface should look this this when done.

VL10_MGMT rule summary
VL10_MGMT rule summary

VL20_VPN rules

Now we will create the rules for our VPN and primary local interface, the requirements for this interface are:

Navigate to Firewall > Rules > VL20_VPN and create the following rules.

Create allow ICMP pings for network diagnostics rule

Create allow traffic to local subnets on permitted ports only rule.

We make use of the LOCAL_SUBNETS and Allowed_OUT_ports_LAN aliases in this rule

Create selective routing rule for specified traffic to exit ISP WAN gateway.

Allow specified traffic to exit the default unencrypted ISP gateway. This is useful for sites which block VPNs or require you to expose your true location, for example, banking sites.

Create pass approved internet bound traffic out the VPN gateway

VL20_VPN VPN egress
VL20_VPN VPN egress

Create block non local NTP lookups rule

Create default Block & log rules

Block default IPv6

VL20_VPN Summary

Your VL20_VPN interface should look this this when done.

VL20_VPN rule summary
VL20_VPN rule summary

VL30_CLRNET rules

Now we will create the rules for our unencrypted ‘clearnet’ local interface, the requirements for this interface are:

Navigate to Firewall > Rules > VL30_CLRNET and create the following rules:-

Create allow Pings for network diagnostics rule

Create allow traffic to local subnets on permitted ports only rule.

We make use of the Allowed_OUT_ports_LAN & LOCAL_SUBNETS aliases here again.

Create pass approved internet bound traffic out the default system gateway, i.e not the VPN connection rule

Create block rogue NTP lookups rule

Create default block & log rules

Default block IPv6

VL30_CLRNET Summary

Your VL30_CLRNET interface should look this this when done.

VL30_CLRNET rule summary
VL30_CLRNET rule summary

VL40_GUEST

Our GUEST network is a special case. Critically, we do not allow guests access to access any internal devices or subnets. The requirements for the guest interface are:

Navigate to Firewall > Rules > VL40_GUEST and create the following rules:-

Create deny traffic to pfsense WAN, VPN or other interfaces

This_Firewall is an alias that represents all the interfaces on your pfSense box including VPNs, WANS etc.

Create allow Pings for network diagnostics.

Create allow guest access the internet uncensored rule

This permits the external access including DNS/port 53 and NTP/port 123 traffic.

Create block rule to any local networks.

I also log any matches of this rule so I can see if any of my guests are attempting to access my local networks.

Create default block & log rules

Default block IPv6

VL40_GUEST Summary

Your VL40_GUEST interface should look this this when done.

VL40_GUEST rule summary
VL40_GUEST rule summary

LAN

My LAN interface is treated rather differently. Its mainly used for debugging and as such it can be reconfigured from time to time. As a initial setup I usually configure it with the following requirements in mind.

Navigate to Firewall > Rules > LAN and create the following rules:-

Create anti-lockout rule

Create the anti-lockout rule ensuring we can always gain access to the GUI and the shell.

Create the rule to allow ICMP pings

Create pass all traffic, local or internet bound

Create default block & log rules

Default block IPv6

LAN Summary

Your LAN interface should look this this when done.

LAN rule summary
LAN rule summary

Reboot

This would be a good time to restart your firewall box. The system should boot and allow you to log back into the dashboard where if everything is correct, the WAN and VPN_WAN interfaces will have IP addresses allocated to them.

Dashboard
Dashboard

If things don’t work as expected, make use of the system logs by navigating to Status > System Logs. The various tabs there will allow you to investigate all areas of the firewall and help you track down any issues.

Verification of functionality and performance

Connect up your managed switch and assuming you have correctly configured the trunk port and tagged LAN ports you should be able to go ahead and test the various subnets work correctly. There are some switch configuration guides for popular and cheap models available from the index page.

Verify you are allocated a valid IP address on each subnet,

Here I am connected to the VL20_VPN network and awarded a 192.168.20.100 address.

$ ifconfig en0
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether b8:e8:56:30:90:5e
    inet6 fe80::bae8:56ff:fe30:905e%en0 prefixlen 64 scopeid 0x4
    inet 192.168.20.100 netmask 0xffffff00 broadcast 192.168.20.255
    nd6 options=1<PERFORMNUD>
    media: autoselect
    status: active

Verify DNS lookups.

We have three methods of DNS resolution to verify:

VL20_VPN

Verify local lookups

We use nslookup to resolve an address

$ nslookup pfsense.org
Server:     192.168.20.1
Address:    192.168.20.1#53

Non-authoritative answer:
Name:   pfsense.org
Address: 208.123.73.69

Verify DNS lookups to non local DNS servers are blocked.

Here I use the dig command and force the DNS query to use Googles DNS server (8.8.8.8). This should and does fail.

$ dig @8.8.8.8 pfsense.org

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Verify local name resolution is working correctly.

I use nslookup to lookup my pfsense gateway by its hostname and verify the address is returned correctly.

$ nslookup pfsense
Server:     192.168.20.1
Address:    192.168.20.1#53

Name:   pfsense.local.lan
Address: 192.168.1.1

Verify reverse lookups

Verify you can resolve a hostname from an IP address

$ nslookup 192.168.1.1
Server:     192.168.20.1
Address:    192.168.20.1#53

1.1.168.192.in-addr.arpa    name = pfsense.local.lan.

Verify .local.lan authority

My DNS Resolver is authoritative for my local.lan domain. If I try and lookup an address which is not part of my network it will return NXDOMAIN rather than forward the lookup to external DNS resolvers.

$ dig nothere.local.lan

; <<>> DiG 9.8.3-P1 <<>> nothere.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nothere.local.lan.     IN  A

;; AUTHORITY SECTION:
local.lan.      10800   IN  SOA pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800

;; Query time: 4 msec
;; SERVER: 192.168.20.1#53(192.168.20.1)
;; WHEN: Sun Aug 27 10:22:30 2017
;; MSG SIZE  rcvd: 84

Verify VL30_CLRNET functionality

Verify VL30_CLRNET external DNS lookups.

$ nslookup pfsense.org
Server:     192.168.30.1
Address:    192.168.30.1#53

Non-authoritative answer:
Name:   pfsense.org
Address: 208.123.73.69

Verify non local DNS server lookups are blocked

dig @8.8.8.8 pfsense.org

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Verify local name resolution is working correctly.

This is handled by the forwarding rule to the DNS Resolver.

$ nslookup pfsense
Server:     192.168.30.1
Address:    192.168.30.1#53

Name:   pfsense.local.lan
Address: 192.168.1.1

Verify VL40_GUEST functionality

Verify VL40_GUEST DNS lookups.

Note the server displayed next to ‘Address’ here should not be your gateway but your ISP’s DNS servers.

$ nslookup pfsense.org
Server:     71.252.0.12
Address:    71.252.0.12#53

Non-authoritative answer:
Name:   pfsense.org
Address: 208.123.73.69

VL40_GUEST network can not access local devices.

Attempt to access another of your local networked devices and verify you are unable to gain access.

Verify VPN connection

Open a browser and head over to AirVPN.org.

For the VPN subnet you should see a valid connection to a AirVPN server in the header bar.

VPN Connected

For the GUEST and CLRNET subnets you should observe your own IP address instead.

VPN Disconnected

It’s worth checking the crpyt selected as part of the connection process. Navigate to Status > System Logs and Select OpenVPN. If you are connecting to a 2.3.x server, for example Alkes @ 199.241.146.178, you will see something like

Aug 26 16:41:37 openvpn 33460   Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 26 16:41:37 openvpn 33460   Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 26 16:41:37 openvpn 33460   Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 26 16:41:37 openvpn 33460   Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 26 16:41:35 openvpn 33460   Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 26 16:41:35 openvpn 33460   Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

where as connecting to a 2.4.x server, e.g Leo @ 199.249.230.21 you will see something like

Aug 26 16:46:04 openvpn 36333   Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 26 16:46:04 openvpn 36333   Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 26 16:46:04 openvpn 36333   Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 26 16:46:02 openvpn 36333   Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 26 16:46:02 openvpn 36333   Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Verify there are no DNS leaks

Open a browser and head over to DNSLeaktest.com.

It worth running an extended test on each subnet to verify functionality. If you find the test doesn’t start correctly, disable ‘Experimental Bit 0x20 Support’ under the DNS Resolver’s advanced settings and try again.

My VL20_VPN subnet isn’t leaking identifying only a single DNS server.

VL20_VPN DNS Leak Test
VL20_VPN DNS Leak Test

My VL30_CLRNET subnet shows multiple OpenDNS servers

VL30_CLRNET DNS Leak Test
VL30_CLRNET DNS Leak Test

My VL40_GUEST network as expected shows up multiple ISP servers.

VL40_GUEST DNS Leak Test
VL40_GUEST DNS Leak Test

Performance

Performance can fluctuate depending on server loads especially during certain peak times. Make sure to select a server which is close to your geographical location and also one that isn’t heavily utilised. AirVPN’s ping matrix is a useful tool to help identify suitable servers. At best I would expect a 15ms increase in ping times and a reduction in throughput of around 10%, this seems to have held as my line performance has increased.

Ping Matrix
Ping Matrix

I validated performance with speedtest.net.

Here’s my LAN performance illustrating Verizon’s FIOS 150/150 service performance.

LAN performance
LAN performance

and here’s my VL20_VPN performance

VPN performance
VPN performance

Changelog

29 August 2017
Updated destination field in DNS port forward
Updated strict interface binding setting in DNS Forwarder