Comprehensive Guide to pfSense 2.3 Part 8: Firewall and NAT Rules

Part 9 will be on the Traffic Shaper, and will be released in a week or two. It will be quite in depth, and is shaping up to be the longest video yet (no pun intended).

Six years later I just had time to watch the whole video. Best clear, concise, informational video. Still a gem. Thank you!

This is an old channel but still relevant and covers alot of grounds for people who wish to learn pfsense firewall rules. For the floating rules part I think it helps alot when say you have an internal messaging app for instance that you want everyone in your organisation to use for internal communication ... and you have several vlans ... normally you will create separate rule for each vlan to access this app (this app has its own vlan too) ... it would be alot more easier to just create one floating rule that will be available for all the vlans created.

Thank you so much for picking this back up. I had began my pfSense journey with your videos, and when you decided not to continue them I had to source other information which was not quite as concise. I did figure it out though, and it's cool to watch this video in relation to how far my knowledge has already come along. It would be helpful, although I already have it working, to see how you would configure the outbound NAT and firewall rules for use with a VPN provider. This is what led me to using pfSense over a consumer grade router. I needed the processing power to run all of my LAN devices through a VPN. I have also started using pfSense boxes in client businesses. It's a great platform! Thanks again for your dedication to helping others. It is greatly appreciated by many.

He hopes it was useful haha, this was the most useful on pf sense yet. Been looking at 2.4 videos but none of them as useful as this man. Stands the test of time and gives a solid explanation not just on pfsense but routing and firewall concepts as a whole. Couldn't ask for much more.

I've been running pfSense for several years. I somehow magically figured out the right combination of mouse clicks to get 3 interfaces working as I needed. Your video series has GREATLY improved my configuration and confidence in my implementation. Your work here is much appreciated.

Excellent video. Concise and to the point. No droning on and clearly you know the topic. Thank you.

Thanks for continuing the series, it is probably one of the most detailed and explained pfsense videos I have found online. Keep it up.

yaay! i'm so glad you're back!! thank you for the video! hope we'll get more soon. you have a good voice to listen to.

Finally :D the best content on pfsense resumes

Hi Mark, am so glad for you to have such a comprehensive series....keep up your good work. So I have a suggestion; if you finish this pfSense Series, can you do a comprehensive series on freeNAS please?! Hope to hear from you. Have a lovely day.

I am glad you did this video. I watched all your pfsense videos. Thank for your videos.

Hi Mark
There is one thing I'd like to point out here. You said that sending a reject could alert an attacker that there is a firewall, but this completely depends on how the rest of the firewall is set up. If I set up a regular server on a network and simply don't listen on any port externally then all ports will return ICMP "Port Unreachable". So in that case, dropping packets to a port (e.g. SSHD) would alert an attacker that something is externally listening there and apparently some address[es] have access (or it's a misconfiguration because if you don't want anyone to connect externally, why listen externally). However if your router is already dropping all packets sent to it, then yes, sending a reject on a specific port would absolutely show a firewall is present.
My point is just that people need to understand that the key here is make sure your "drop" behaviour mirrors your normal behaviour because it's the deviation that gives away the presence of a firewall, not reject or drop specifically.

Thank you so much! The nat reflection part explained the situation I encounter or 2 weeks!!!

Brilliant series! Always find myself coming back to your resource! thanks very much sir!

Let me say thank you very much, Mark, for this videos!!! Marcos from Argentina

Thank you for taking up this EXCELLENT series of videos!!!

Thank you so much for continuing your series!

Thanks for continuing with the CG to pfSense. Great job!

Thanks for bringing this back! Awesome job as always. Hope you continue them.

just wanted to say this incredibly well done and helpful

Have been waiting for this... Thanks Mark.. great video

Very good, clear and logical. Thankyou.

Thanks Mark for continuing this awesome guide.

Thank you so much for this. I have been learning a lot with your PFSense videos!

thanks for this tutorial! although already a couple of years old, i think it's still useful for beginners like me. best wishes from .de :)

AWESOME! Thanks so much for continuing this series!

Thanks Mark, keep up the good work , realy like your video`s about pfSense.

Thank you very much for continuing this series Mark!!!

Thanks for your back! Awesome job as always. Hope you continue them.

I really appreciate the effort you put into this. The fact that you pause and describe and explain the meaning of things is what makes this video useful to me. Anyone can copy form data from a tutorial and create a video and verbally say "put this here because reasons," but explaining what it means is much more valuable. Thanks for the video.
I'm trying to route between VLANs and I'm getting very confused by the ingress and egress of packets related to the firewall. This video helped me understand that it is incoming connections only. Since the VLAN X has IPs on subnet X, I need to allow connections on VLAN X's interface coming from other VLANs that should be able to connect. Is that correct. No egress rules are needed?
I am asking about egress because in your allow all (blacklist fallback) rule, you described it as an egress rule, and yet the rules are matched on incoming connection requests. This was a little confusing to me. Can you clarify if and/or when egress rules make sense in an inter-vlan configuration? Thanks again!

Thanks. Perfect video to fill in the gaps and get everything working for me. I'm excited to start hosting some servers on my public IPv4 subnet.

Man! You have a talent!!!

Thank you so much for the videos. They are very professional and very good help too!!

thank you this is by way the most useful video on pfsense firewall rules.

Fantastic video Mark! Many thanks!

Just wanted to say thanks. Thanks

OMFG! ITS A PFSENSE TUTORIAL!

Thank you for sharing such knowledge ! Very useful.

Excellent! Looking forward to the remaining parts

Great video! A tutorial on setting up an openvpn server so you can access your network remotely would be awesome. A lot of tutorials out there don't go into depth\skip steps

Thank You ver much for your time and effort! Appreciated!

Thank you so much, Mark!!!

I've searched and bought eLearning videos about network security mostly because it was including a section about pfSense. However, while it was a professional I've never been shown what is happening in details like you do. Knowing that it's always understandable without being a network specialist. I can't wait to finish this video and go next to the traffic shaper functionnality that I'd like to understand.
Do you intend to add something one day about packets inspection (Snort or Surricata) ? .I would be interested to understand that point introduced the same way you did for the introduction slides: pros & cons, ex: if there is some added value in a home network.
Thanks

Hey Mark, awesome series, learnt everything I know about PFsense through your videos. Thank you for sharing your knowledge.
One question though, for which I have been struggling for a while, how do you block Facebook and UA-cam on Pfsense the right way ?

Great stuff Mark, Thankyou mate.

thanks for this amazing video's I just want ask you the choice of between Sophos utm and pfs firewall

Awesome video. Thank you!

Hi,
I'm trying to make opt1 work using a d-link switch. Do I have to create a system route in pfsense? Will creating an interface be enough, with a few rules to let traffic in, to test if the opt1 works?

Fantastic tutorial. You should do Snort & it's rules and pfBlocker Comprehensive guides. There really isn't good one on youtube.

i love u Mark , Thanks for resuming this guide:-)

Any chance of a video on a comprehensive guide for Suricata?

So.... the first LAN port has a different implicit ruleset than any additional (i.e. optional) LAN ports? I know it has a default anti-lockout rule, but... is that all?

cool , finally a follow up , like earned :D

Thank you for this great explanation, turns out I've been doing it wrong because I haven't actually been using NAT rules where I shouldn't have, I was using just general interface rules. I have a question, I happen to have (rent) a small block of IPs. I use 1:1 NAT to connect a single IP to a single VM on my ESXi server. I was wondering if you could explain what exactly is matched with the "WAN address" and "WAN net" aliases when configuring a firewall rule or NAT rule. I have a bit of a complicated setup because the gateway I use is "far". As in, it is outside the subnet, but it works. Now I wonder does "WAN address" match the standard gateway, and does "WAN net" match that and the IP I have configured using 1:1 NAT? Or how does this work?
Thank you in advance for an explanation!

Thanks for making this video! I will have to finish watching once I get home from work. Please make one about how to install and configure squid proxy, transparent cashing proxy.

Mark... port forwarding isn't working for me as I'm trying to get my cod server online but pfsense is blocking it. The host also has it's Windows firewall disabled. Any ideas.. rule set via Nat port mapping.

Since i7 computers and quite possibly i5 or earlier (i3 etc) computers have backdoors (see Dave Cullen's ComputingForever video) and considering that pfsense with its new requirements increases the chances of a person using those computers for it, would you ever consider making an OPNsense video in such glorious detail? I think you pfsense video detail level is great.

what is the difference between wan net and Wan address. or Lan net vs Lan address.!?
I didn't understand the meaning from the pfsense wiki.

Hi there, how we can make a rule on firewall that all traffic will be blocked by default. I mean lan can access to Internet but all attack or trrafic from Internet or wan to lan will be blocked?? Because by default there's no rule set on microtik firewall. Thnx

Thanks Mark!

Thank you very much

good stuff thanks

plz show me how to setup port forwarding for ftp..am using windows ftp server

damn it has been a long time

Reject vs Block. Is like the difference between a locked car, and an invisible car.

Thanks a lot for this series of videos :). I got a question if someone is listening. By default Pfsense blocks everything going in?, and allows everything going out?. But how then can I even surf the internet?, how can i remotely switch off my lights with Phillips Hue...
And what is with the firewall logs saying it blocks something going from LAN to WAN.. Maybe I am just confusing things?, same with me feeling it is very illogical that when you make NAT rule, that you set destination to WAN and not LAN...

nice

42:35 - nat reflection. You know your stuff about networking, dude, but I think options like this would benefit from a real-world example such as the one I immediately thought of.
Say you host a Counter-Strike 1.5 server on a server machine in your living room. You, for whatever reason, happen to find a working copy of Gamespy 3D server scanner from the early 2000s and you somehow have a working list and you see your CS server right there along with your internet IP. You see there are 23/24 players so you double click it to connect and game and it works! It works because you clicked that Nat Reflection option.
I could think of others, but this option sounds like it'd be very helpful for someone like me who actually does stuff like this on my own network. I guess DDWRT must do it automatically somewhere because I never had to click an option like this.

I'm guessing npt is similar to nbt in Minecraft

YES!!!!

Magic. Ta

YEEEEESSSSSSSSSSSSSSSSSSSSSSSSSS