Book Image

pfSense 2.x Cookbook - Second Edition

By : David Zientara
Book Image

pfSense 2.x Cookbook - Second Edition

By: David Zientara

Overview of this book

pfSense is an open source distribution of the FreeBSD-based firewall that provides a platform for ?exible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important compared to other offerings. pfSense 2.x Cookbook – Second Edition starts by providing you with an understanding of how to complete the basic steps needed to render a pfSense firewall operational. It starts by showing you how to set up different forms of NAT entries and firewall rules and use aliases and scheduling in firewall rules. Moving on, you will learn how to implement a captive portal set up in different ways (no authentication, user manager authentication, and RADIUS authentication), as well as NTP and SNMP configuration. You will then learn how to set up a VPN tunnel with pfSense. The book then focuses on setting up traffic shaping with pfSense, using either the built-in traffic shaping wizard, custom ?oating rules, or Snort. Toward the end, you will set up multiple WAN interfaces, load balancing and failover groups, and a CARP failover group. You will also learn how to bridge interfaces, add static routing entries, and use dynamic routing protocols via third-party packages.
Table of Contents (18 chapters)
Title Page
Copyright and Credits
About Packt

Determining our interface requirements

This section will help us determine our interface requirements by analyzing our network design. We will make use of our network diagram to understand how many interfaces our network will require.

Let's begin by analyzing our network design:

We can see that our environment consists of four separate interfaces:

  • Wide Area Network (WAN): Directly connects to our cable modem, which in turn provides access to the internet.
  • Local Area Network (LAN): Our primary internal network.
  • Demilitarized Zone (DMZ): Our internal network, on which we allow external access. Our web servers belong to this interface.
  • Wireless guest network (GUEST WIFI): We've created this network for the convenience of guests. They can all connect with an easy-to-remember password (or perhaps no password at all) and surf the web. We consider this interface insecure and treat it as such. We will define rules so it has no access to other networks—not even the also insecure DMZ.

It is apparent that our network requires four Network Interface Cards (NICs).


We could have also accomplished this result with two NICs (WAN and LAN). and two VLANs (DMZ and GUEST WIFI).


A firewall requires a separate NIC for every interface it hopes to support. This ensures a physical separation of network traffic. All inter-network traffic is forced to pass through the firewall where our rules will be applied and enforced. For that reason, a firewall requires a minimum of two NICs to function properly, one for internal traffic and one for external traffic (LAN and WAN). Each subsequent optional interface will require yet another NIC, which can be added at any time (unless, of course, we use VLANs).

Typically, an NIC will have a single Ethernet port. However, some NICs may have two, four, or even more Ethernet ports on a single card. Our firewall in the preceding scenario could have had four single-port NICs, or a single four-port network interface card.


Since pfSense 2.0, only a single physical interface is required to install the system, making all interfaces except for the WAN optional. Theoretically, the WAN and LAN could both be VLANs on the same interface. A proper firewall, however, still requires a minimum of two interfaces.