Skip to main content

PFSense Day 2

· 5 min read

I'm back! So been a little busy with life, but a couple weekends ago I did get pfSense running at its most basic functions on my network. I do feel like I approached it a little backwards...but it works. I did make some mistakes that, nothing major that I couldn't correct.

Here is what I did

  1. Setup pfBlocker

  2. Setup DHCP and setup old router as a wireless access point (WAP)

  3. Port Forwarding for PLEX

If I were to redo this process I would of setup DHCP and configure my previous router as a WAP first.

My main goals for this round of pfSense was essentially to duplicate my current setup. Replace Pi-hole with pfBlocker, pfSense as my DHCP provider, and something that I've always wanted...proper port forwarding of Plex. No more double NATing issues.

pfBlocker

pfBlocker is a wonderful little feature, essentially a DNS sinkhole that can be used to block adverts, malicious websites, or any unwanted websites. For my home network, I used the IP Blocklists provided by pfSense and FireBog.

  1. Install the pfBlocker package. I used the development package.

    • System > Available Packages > pfBlockerNG-devel >> Click Install + Confirm
  2. Wait for the installation to complete. Should take no more than a minute.

    • Firewall > pfBlockerNG Setup

    • We will follow the Setup Menu, on the "Welcome to pfBlockerNG" Screen, click Next. You will recieve a warning on the next screen. Click Next again.

    • "Step 2" On this Screen you will be presented with Inbound and Outbound interfaces. Here I set it as Inbound = WAN and Outbound = LAN.

    • "Step 3" I left the VIP address as the default...

      • LESSON LEARNED! I recommend changing the Port to something other than default that isn't currently being used such as 4443. The first time I went through this menu I left it as defaults. Once activated, I could not longer access pfSense. I had to console into pfSense and remove the pfBlocker package and start again. If pfBlocker locks you out, follow the below instructions. Assumptions are made that you are able to access the console or utilize SSH

      • To list installed packages from the console (or SSH)

        pkg info
      • The current version of pfBlocker I have installed is "pfSense-pkg-pfBlockerNG-devel-3.1.0_4", to uninstall run the following and then type y to confirm

        pkg delete pfSense-pkg-pfBlockerNG-devel-3.1.0_4
    • "Step 4" Hit Finish

    • "Extra Steps" Click on IP and enable Floating Rules under IP Interface/Rules Configuration this will plant the rules in the Firewall under Floating. This will make tracking rules easier. I'll have to re-refrence Lawrences video on configuration which I will link below.

    • Finally, I have found that I need to reboot pfSense in order for the pfBlocker to take effect. Not sure if this is normal.

IP Blocker

I kept this at its default settings, although I did add one more block list from Alien Vault which I selected from the Feeds Tab which is under the pfBlocker menu. You don't want to block inbound connections. Just anything going out in this case.

DNS Blocking

This is something I am a bit more familiar with, coming from Pi-Hole.

For now, I am leaving the DNSBL Category and DNSBL SafeSearch categories alone, focusing only on the DNSBL Groups tab instead.

I find this to be incredibly straight forward. Click on the Add button, Provide a name, and then add the various DNS blocking lists that suit your needs. Personally, I was a bit heavy handed and used all of FireBogs Green and Blue lists (that are not scratched out) while seperating them into various categories.

Ensure that once you have added your lists, that you set the State for each list you want as "ON" and under the Settings section that the Action is set to "Unbound". I would also recommend that you set the list to auto update on a semi-regular basis to ensure the lists stay up to date.

DHCP and WAP

This I should of done first. Like pfBlocker this was pretty straight forward with a couple of minor gotcha's.

  1. Under Interfaces, set IPv4 configuration type to Static IPv4 and then change your LAN port to the IP Range that you prefer. Such as 192.168.10.1. This will also be the gateway IP for devices on that subnet. Note, if you are accessing your device from that same port you will need to now access pfSense from the new IP address.
  2. Head to Services > DHCP Server, click to enable "DHCP Server on LAN Interface". You will then need to ensure that the available range matches the subnet of the LAN Interface. Such as 192.168.3.10 - 192.168.3.50. This will set the DHCP server to supply upwards of 40 IP address between 10 and 50.

That is it, straight forward and simple. This is a basic configuration. I plan for it to be a bit more complicated once I get into VLANs and Subnetting.

Port Forwarding for Plex

Resources

Lawrence Systems - pfBlocker Setup