Switching to pfSense

November 11, 2022

Overview

This post is written based on pfSense Community Edition version 2.6.0 released on 01-31-2022. I recently switched to pfSense as my firewall and router from a Unifi Security Gateway. I was starting to bump up against some limitations of the Unifi device, and pfSense has allowed me to change detailed settings to my heart’s content. I’m running it on dedicated hardware which is one of the generic four port “firewall” boxes that can be found all over AliExpress. The processor is a Celeron N5105 with 8GB of memory and a 120GB SSD (overkill). It also has the Intel i225 chip for the NICs, so they are all 2.5GbE. My setup is not very advanced, but I’ll detail what it looks like in the sections below.

Firewall rules

Nothing too special going on here. I currently have four interfaces defined: WAN, LAN, VPNSC (Proton VPN Secure Core), and OpenVPN (local server). The only thing I have allowed through the WAN interface is the port for my OpenVPN server. On the LAN side, basically everything is allowed except for one IP address that I force to use the VPNSC interface instead of WAN. After reading several articles about the best way to accomplish this, I settled on applying a specific tag to all traffic coming from that IP and setting the default gateway to the VPNSC gateway. By applying a specific tag (NO_WAN_EGRESS in my case), I am able to add a floating rule that looks for that tag and doesn’t allow it to use the WAN interface. This ensures that if the VPNSC interfaces fails for some reason, the traffic doesn’t default to using WAN. The VPNSC interface just has the standard “Block bogon networks” rule, and the OpenVPN interface has the default rule to basically allow anything. I may look in to tightening this up a little in the near future.

DHCP

For my DHCP server on the LAN interface, I have it set to start handing out dynamic address at x.x.x.20. This gives me the first 19 addresses to assign statically. I do configure my static DHCP assignments in pfSense and not only on the host machine. I then enable the “Static DHCP” option in the DNS Resolver to add my static mappings to the local DNS listing.

NextDNS

I’m currently using NextDNS for my whole home network. I have it setup on pfSense so that it automatically handles any traffic leaving my network. This doesn’t give me the granularity of know exactly which device the traffic is coming from, but I don’t necessarily need that as I’m mainly using it to block certain sites, ads, and trackers. So far, it has been great. Setup is fairly straightforward. In the DNS Resolver settings, I enabled both options under “DNS Query Forwarding” then added some setup code from NextDNS in the “Custom options” block. Under System -> General Setup, I do have the Quad9 DNS server addresses listed, because that is what I was originally using. I left them there but changed the “DNS Resolution Behavior” to use local DNS and ignore remote DNS servers.

Dynamic DNS

I currently host my domains with Cloudflare. I can easily create a specific subdomain for my OpenVPN server and update the address using pfSense’s Dynamic DNS service. Simply add a new client, select Cloudflare as the service type, enter the hostname to update, add your Cloudflare credentials, and set the TTL to 300. for the Cloudflare credentials, the username will be the Zone ID, and the password is actually an API token. For a little extra security, this token can be created with specific permissions to only allow DNS editing.

OpenVPN server

I like having an OpenVPN server running on pfSense to allow me to securely jump in to my home network from anywhere. Setting this up is as easy as following Netgate’s guide. I opted to use local users for authentication. The guide walks you through creating a new CA and certificate as well as the needed OpenVPN settings. Since I’m using local users as the authentication method, I also used the guide to step through adding a new user to pfSense with the proper certificate. There is an OpenVPN client export package that makes it trivial to create a configuration file for importing in to many different types of clients.

If you want all of the remote traffic forced through the VPN, there are a few more settings to deal with. For the OpenVPN server, under Tunnel Settings, simply check the box for “Redirect IPv4 Gateway” instead of listing specific local networks. Then, under Advanced Client Settings, check the boxes for “DNS Server enable”, “Block Outside DNS”, and “Force DNS cache update”. Be sure to add the IP address for your DNS Server (likely X.X.X.1). Lastly, you’ll need to edit your NAT rules to give the traffic destined for the WAN a way out. Under Firewall -> NAT -> Outbound, just duplicate the two rules for your local network and change the source IP range to whatever is being assigned to your OpenVPN clients when they connect.

OpenVPN client

I use Proton VPN when I want to anonymize my network traffic. I have the app installed on many of my devices for occasional use. I also decided to create an always connected client in pfSense to use for machines on my home network that should always use the VPN for internet access. Proton has a fairly good setup article on their site. I did deviate in some areas though. For “Step Four: Setting up firewall rules” I opted to duplicate the NAT rules instead of editing the existing ones. This is because I do not want all of my network traffic forced through the VPN. I simply want it as an additional option. I also did not do “Step Five: Setup DNS resolver”. I would like all of my DNS queries to continue to go through NextDNS. I realize many people will want their DNS to go over the VPN, but I’m just explaining my setup. Once this is setup, I can force certain clients to only use the VPN as described in the firewall rules section above.

Conclusion

Overall, I am very much enjoying pfSense. It has been rock solid with absolutely no issues. In defense of the Unifi Security Gateway, it was also very stable. I just didn’t have the level of customization that I now have with pfSense. I realize I’m only doing fairly basic things with my setup, but at least I know I have a lot more growth potential with pfSense. I’m currently learning more about VLANs and hope to implement them in the near future.