Configuring New Networks Firewall Settings on a PFSense Router - ItsMmmike/SYS-350 GitHub Wiki

Adding New Networks and Firewall Rules to a PFSense Router

In this milestone, we need to add additional networks to our PFSense router in order to suit the needs of the lab's network environment. This guide will briefly cover how to add new network adapters to a PFSense router, basic interface configuration as well as how to set up necessary firewall rules.

Pre-Reqs:

  • First make sure that the necessary port groups have been created before continuing with this configuration (
  • You will also need a functioning PFSense VM + Desktop Management VM to configure PFSense following the initial configuration

Adding Additional Network Adapters onto PFSense

  • First shutdown your PFSense Router VM
  • Edit the VM's hardware settings and add 2 new network adapters
  • Assign the network adapters to their respective network port groups as shown below (ensure that each network is connected and remains connected on reboot)
  • Lastly reboot your PFSense Router

**Note: You may need to re-assign Network Interfaces for PFSense. If so, make sure to keep track of the MAC Address for each Network Adapter + Network Bridge Pairs --> Then reconfigure using the PFSense cmd line console

image

^^ The completed configuration for your PFSense VM should look similar to above

Configuring Network Interfaces in PFSense Web GUI

  • Using your Desktop Management VM, login to your PFSense Router's Web GUI interface then navigate to "Interface" > "Assignments"
  • Under “Interface Assignments” Configure your DMZ + MGMT interfaces such that each interface is enabled, is assigned the correct name, and IP
  • Make sure to save and apply the config following this

(*Also keep track of each adapter’s MAC Address - this must match to their corresponding network)

image

^^ Screenshot of the configuration used for my DMZ Network Interface

image

^^ Screenshot of the configured network adapters on my PFSense Router

Configuring PFSense DNS Resolver

In order to ensure that all networks able to access DNS, we must first configure the DNS Resolver on our PFSense Router to provide service to the additional networks.

  • In PFSense, navigate to "Services" > "DNS Resolver" > "General Settings"
  • Under "Outgoing Network Interfaces" select "WAN" (*This allows all outgoing DNS queries to be properly forwarded outside of the local network)
  • Save and Apply Settings to implement the changes

image

^^ Screenshot of my completed DNS Resolver configuration

Configuring Firewall Rules

Note: For this milestone lab, MGMT and LAN Net can ping to any local network as well as reach out to the internet. DMZ net should also be able to connect to the internet, however it should not be able to make connections to any of the local LAN or MGMT networks.

  • To add new Firewall Rules in PFSense, first navigate to > "Firewall" > "Rules" > then select the Net Interface you wish to configure (ex. DMZ)

  • From here, Click "Add" to configure a new firewall rule for this interface

    • Repeat this step until all necessary firewall rules have been configured for each interface

  • The completed DMZ Firewall Rules should look similar to below:

image

  • The completed MGMT Firewall Rules should look similar to below:

image

Configuring Firewall NAT Rules

For this configuration, Firewall NAT Rules are also necessary in order to allow multiple devices on the internal DMZ or MGMT network to communicate out onto the internet using the router's single IP address.

  • To configure these NAT Rule in PFSense, first navigate to "Firewall" > "NAT" > and lastly "Port Forward"

  • From here, Click "Add" to configure each necessary NAT Port Forward Rules

  • The completed MGMT Firewall Rules should look similar to below:

image