This document provides a detailed overview of the configuration and setup of my pfSense firewall, including interfaces, VLANs, firewall rules, DHCP settings, NAT, and installed packages/services.
- Hostname:
pfSense
- Domain:
lan
- Version: 23.3
- Timezone: US/Pacific
- Access Protocol: HTTPS
- Dashboard Theme: pfSense Dark
- Dashboard Columns: 3
- Physical Interface:
igb0
- IP Addressing: DHCP
- Physical Interface:
igb1
- IP Address:
10.10.0.1
- Subnet Mask:
/24
- VLAN Interface:
igb1.30
- IP Address:
10.10.30.1
- Subnet Mask:
/24
- VLAN Interface:
igb1.20
- IP Address:
10.10.20.1
- Subnet Mask:
/24
Virtual LANs (VLANs) segment network traffic logically within a shared physical infrastructure, improving security, performance, and scalability. All VLANs are configured on the igb1 interface, with unique tags for traffic isolation.
- Purpose: Wireless device segmentation.
- VLAN Tag:
30
- IP Address:
10.10.30.1/24
- DHCP Range:
10.10.30.100 - 10.10.30.200
- DNS Servers:
- Primary:
10.10.0.7
- Secondary:
10.10.0.6
- Purpose: Isolation of IoT devices from sensitive resources.
- VLAN Tag:
20
- IP Address:
10.10.20.1/24
- DHCP Range:
10.10.20.100 - 10.10.20.245
- DNS Servers:
- Primary:
10.10.0.6
- Secondary:
10.10.0.7
¶ VLAN Routing and Firewall Rules
-
WiFi VLAN (VLAN 30):
- Allowed Traffic: DNS and ICMP to Pi-hole servers; selective access to services like Plex and Minecraft.
- Blocked Traffic: Access to LAN (
10.10.0.0/24) and IoT VLAN (10.10.20.0/24).
-
IoT VLAN (VLAN 20):
- Allowed Traffic: DNS and ICMP to Pi-hole; internet access; access to Plex server.
- Blocked Traffic: Access to LAN and WiFi VLAN.
- LAN:
10.10.0.100 - 10.10.0.245
- WiFi:
10.10.30.100 - 10.10.30.200
- IoT:
10.10.20.100 - 10.10.20.245
All VLANs use the following Pi-hole servers for DNS:
- Primary:
10.10.0.6
- Secondary:
10.10.0.7
- Rule Processing: Rules are executed top-down until a match is found.
- Default Behavior: All traffic is blocked unless explicitly permitted.
- Logging: Key rules are logged to monitor activity and troubleshoot issues.
- Allow Remote Plex Access:
Port 32400 to 10.10.0.55
- Allow Remote Minecraft Access:
Port 25565 to 10.10.0.61
- Allow Overseerr Access:
Port 5055 to 10.10.0.55
- Allow All Traffic: Enables unrestricted communication within the LAN.
- Allow DNS: To Pi-hole servers (
10.10.0.6 and 10.10.0.7).
- Allow Plex Access: To
10.10.0.55.
- Block LAN Access: Prevents access to
10.10.0.0/24.
- Allow DNS: To Pi-hole servers.
- Block LAN Access: Prevents access to
10.10.0.0/24.
- Block WiFi VLAN Access: Prevents access to
10.10.30.0/24.
- Provider: Cloudflare
- Domain:
kitpro.us
- Hostname:
home.kitpro.us
- Verify DDNS Status: Check Services > Dynamic DNS.
- Enable Logging: Under Status > System Logs.
- Test Connectivity: Ping
api.cloudflare.com using the diagnostics tool.
- Primary:
10.10.0.6
- Secondary:
10.10.0.7
- Monitor Logs: Use the Pi-hole dashboard to check activity.
- Verify Upstream Servers: Ensure Pi-hole can forward requests to
1.1.1.1 or 8.8.8.8.
- Snort (IDS/IPS): Protects against intrusions.
- ntopng: Provides traffic analysis.
- Avahi: Enables service discovery via mDNS.
- System Patches: Applies critical updates.
