Setting Up PfSense for Network Segmentation, Traffic Control, and Security Rules for Your Cybersecurity Home Lab

pfSense is an open-source firewall and router software, widely used in cybersecurity labs and production environments. This guide explains how to set up pfSense in a virtual environment, configure its interfaces, and establish basic security rules. The steps are beginner-friendly and include tips for troubleshooting.

Step 1: Requirements

To get started, ensure you have the following:

1. Virtual Machine Software: VMware Workstation Pro is used in this guide.
2. pfSense ISO: Download the latest version from the official pfSense website.

Step 2: Creating a Virtual Machine for pfSense

1. Open VMware

Navigate to File > New Virtual Machine.

Select Typical setup.

2. Select the Installation Media

Choose Installer disc image file (iso) and locate the downloaded pfSense ISO file.

3. Name Your Virtual Machine

Use a descriptive name like pfSense_Lab and select a location to save it.

4. Allocate Disk Space

Assign at least 20 GB and choose “Store virtual disk as a single file.”

5. Customize Hardware

Click on Customize Hardware

Allocate at least 1 GB RAM (2 GB for better performance).

Assign 1 CPU (2 cores recommended).

6. Add Two Network Adapters

Adapter 1: NAT (WAN) — Simulates an internet connection.

Adapter 2: Host-only (LAN) — Connects to other lab VMs in an isolated network.

Review your configuration and click Finish to create the VM.

Step 3: Installation Process

Step 3: Installing pfSense

1. Follow the Installation Wizard

Accept the terms

Choose Install in the pfSense menu.

2. Choosing the disk partitioning method during the pfSense installation:

Auto (ZFS): Automatic setup using the ZFS file system. Ideal for those needing advanced features like snapshots and redundancy. Recommended for systems with 8 GB RAM or more.

Auto (UFS): Automatic setup with the simpler UFS file system. Best for beginners and systems with less than 8 GB RAM.

Manual: Allows custom partitioning, suitable for advanced users.

Shell: Opens a command-line interface for manual partitioning.

Recommended for beginners: Choose Auto (UFS) for a simple installation that covers basic needs.
For advanced users: If you need reliability, scalability, and advanced features, select Auto (ZFS).

Select Install to Proceed with Installation

The ZFS Configuration window, where you select the type of ZFS setup. Options include:

Stripe: Maximum storage, but no redundancy (data loss if a disk fails).

Mirror: Creates exact copies of data on multiple disks for redundancy.

RAIDZ (1/2/3): Different levels of redundancy with varying performance and fault tolerance.

What to Choose:

For a virtual lab or testing environment, choose Stripe. This provides maximum storage with no redundancy.

For production environments or where reliability is critical, consider Mirror or RAIDZ options (if you have multiple disks).

Why Choose Stripe for a Lab Environment:

Performance: Stripe provides the fastest disk performance, as data is split across all disks.

Simplicity: It does not require additional setup for redundancy, making it suitable for a single-disk virtual environment.

No Need for Redundancy: Since this is a test environment, data loss is not critical.

A prompt confirming that is the select disk will be overwritten, press space to select the option and OK

Choose Yes to continue, and reboot when the installation finishes.

The system will begin extracting the distribution files, which is the actual installation process where pfSense writes its system files to the disk. We need to wait for this process to complete.

The Installation of pfSense has been successfully completed. The installer is now prompting you to either:

Reboot: By pressing Enter Restart the virtual machine to boot into the newly installed pfSense system.

Shell: Open a command-line shell for advanced troubleshooting or additional manual configuration.

1. Select Reboot: This will restart the system and load the freshly installed pfSense environment.

2. Remove the Installation ISO:

Before the reboot completes, make sure the system doesn’t boot back into the installation ISO. To do this: Go to your VMware menu.

VM > Removable Devices > CD/DVD (IDE) and select Disconnect.

The pfSense console menu, appears after successfully rebooting the system into the installed pfSense environment.

Version and Environment Details:

pfSense 2.7.2-RELEASE: This is the version of pfSense you installed.

VMware Virtual Machine: Indicates that pfSense is running on a virtual machine.

Interface Assignments:

WAN (wan) on em0: This is the interface connected to the internet, configured using DHCP with the IP 192.168.19.16/24.

LAN (lan) on em1: This is the internal network interface, with a static IP 192.168.1.1/24. Other devices in the lab will connect to this interface for network segmentation and testing.

Menu Options: A list of administrative tasks you can perform, such as assigning interfaces, resetting passwords, or enabling services.

Step 4: Configuring Kali/Ubuntu Network Adapters and Verifying Connectivity

Before Starting the machine, you need to add a Network Adapter exactly like you did when we created the pfsence machine.

So we will have 2 Adapters

1. NAT adapter connects pfSense to the internet
2. Host-only adapter creates a secure internal network to test and manage pfSense like a real home or office router.

Start the Kali/Ubuntu Linux Machine

Check the IP Address of Kali/Ubuntu Linux:

ip a

1. Left Side (Kali Linux Terminal Output):

The ip a command lists network interfaces and their IP addresses.

eth0 has the IP 192.168.19.15/24 (connected to the same network as pfSense’s WAN interface).

eth1 has the IP 192.168.1.133/24 (connected to pfSense’s LAN network).

2. Right Side (pfSense Console Menu):

It shows pfSense setup with:

WAN IP: 192.168.19.16/24.

LAN IP: 192.168.1.1/24.

These IPs are used for managing and routing traffic between different networks.

This confirms that Kali Linux interfaces are connected to the correct pfSense networks (WAN and LAN).

On the left is your Ubuntu machine showing its IP addresses:

• Interface ens33: IP address is 192.168.19.13
• Interface ens37: IP address is 192.168.1.128
• On the right is your pfSense console:
• WAN interface (em0): 192.168.19.16/24
• LAN interface (em1): 192.168.1.1/24

Explanation of the Network Configuration:

1. Ubuntu Machine:

• The ens33 interface connects to the same network as the pfSense WAN (192.168.19.x).
• The ens37 interface connects to the same network as the pfSense LAN (192.168.1.x).

2. pfSense:

• The WAN interface connects to 192.168.19.16, which is in the same subnet as 192.168.19.13 (Ubuntu’s ens33).
• The LAN interface (192.168.1.1) is the gateway for devices in the 192.168.1.x subnet, such as Ubuntu’s ens37.

5. Test Connectivity

Kali:

Ubuntu:

ping -c 4 <LAN IP>

Step 5: Accessing the pfSense Web Interface

Open Browser: Use the LAN IP to access the web configuration through a browser on the Kali Linux machine.

Go to https://196.168.1.1 from your host machine’s browser.

http://196.168.1.1

Will see a security warning. Choose Advanced > Accept the Risk and Continue.

Note: Accepting this risk is generally safe when accessing known devices on your local network, like your pfSense firewall.

If this were a public or unfamiliar website, bypassing such a warning would not be recommended due to potential security risks.

Login:

Default username: admin

Default password: pfsense

Initial Setup Wizard:

1. Click on “Next”:

• Proceed with the wizard to configure the initial settings.

Steps in the Wizard:

General Information: Enter the hostname, domain, and DNS servers if needed.

Time Server: Set your time zone and optional time server configuration.

WAN Configuration: Configure the WAN interface settings (usually, this will be set up to obtain an IP automatically via DHCP if using NAT in a virtual environment).

RFC1918 and Bogon Network Settings

RFC1918 Networks and Bogon Networks settings on the WAN interface in pfSense. These settings control whether traffic from certain types of IP addresses is blocked from entering your network through the WAN interface.

For Lab Environments: Uncheck both options to allow traffic from private and bogon networks if your WAN is set up using a private IP space or if you need to simulate such traffic.

For Real Networks: Keep these options checked to enhance security by preventing unwanted private and bogon traffic from entering your network.

LAN Configuration: Set the LAN IP address (keep it as 192.168.1.1 or change it if needed).

Admin Password: Change the default admin password for security purposes. This is important as the warning indicates that the default password is still set.

Reload pfSense to apply the new settings and complete the initial setup.

Finish

Accept

Close

After completing the initial setup will see the pfSense dashboard .

The dashboard provides an overview of the system’s health and network interface status, which is essential for monitoring our network and ensuring everything is functioning properly.

In the System Logs page we can check different types of log entries to troubleshoot or monitor various activities and system states. The logs shown the “General” tab, which indicates system-level events. Here, we can find entries related to:

1. System Startup/Shutdown: Details about system boot processes and shutdown procedures, as seen with entries about syslogd starting and exiting.
2. Kernel Messages: Notifications about kernel-level operations such as loading modules, processing threads, and disk operations.
3. Process Details: Information related to the starting, stopping, or status updates of system processes.

You can navigate between different log categories like Firewall, DHCP, VPN by selecting the appropriate tabs, allowing us to diagnose issues or confirm system behavior comprehensively.

In the Firewall Logs view we can observe detailed entries related to the traffic that has been blocked or allowed by the pfSense firewall rules.

1. Action: Indicates what action was taken for the traffic, such as blocking or allowing it. In your case, the red ✖ indicates that the traffic was blocked.
2. Time: The timestamp showing when the specific log entry was recorded.
3. Interface: The network interface where the traffic was observed, such as LAN or WAN.
4. Rule: The specific firewall rule that triggered the action. The entries here are labeled as Default deny rule, meaning these packets were blocked because they didn’t match any existing rules allowing them.
5. Source: The IP address from where the traffic originated.
6. Destination: The IP address or endpoint where the traffic was intended to go.
7. Protocol: Indicates the type of protocol used for the connection, such as UDP or TCP.

This view is useful for troubleshooting connectivity issues, identifying unauthorized access attempts, and monitoring general network activity on your pfSense system.

By clicking on the icon next to the log entry, we initiate the creation of an “Easy Rule” to permit this traffic.

The “Easy Rule” feature in pfSense’s firewall logs allows us to quickly create a firewall rule by clicking on a log entry that shows blocked traffic. By doing this, you can allow specific traffic that was previously blocked.

In the confirmation screen that was opened for adding this rule. It specifies that the rule type is “Pass” for traffic on the LAN interface, allowing UDP traffic from the source 192.168.195.1 to the destination 192.168.195.255 on port 137.

To add the rule, you would click the “Confirm” button, which would update the firewall configuration to permit this specific traffic.

To view or modify the firewall rules in pfSense, we navigate to the Firewall tab on the top menu and select Rules. This section allows us to add, edit, or review existing rules that dictate how traffic is managed on your network interfaces (such as LAN or WAN).

From the dropdown list choose Rules .

Once inside the Rules section, you can review, add, or adjust rules to control traffic.

This helps manage and customize the flow of network traffic according to our security requirements or connectivity needs.

Firewall rules in pfSense, as in most firewalls, function based on several key criteria to determine whether traffic should be allowed or denied. Here’s how these rules work and what information is needed:

Key Components of a Firewall Rule:

1. Source This defines the originating point of the traffic.

It can be an IP address, network, or alias representing a group of IPs or networks.

2. Destination: This is where the traffic is intended to go.It can also be an IP address, network, or alias.

3. Source to Destination (Traffic Path): The rule specifies which traffic is allowed or denied between a source and a destination.

For example, we might have a rule that allows traffic from a LAN IP (source) to a specific external IP on the WAN (destination).

Lets crate a Rule

Click on Firewall from the top menu.

Choose Rules from the dropdown list.

Choose Aliases (Aliases in pfSense simplify rule management. By grouping ports, IPs, or networks into aliases, we can write more readable and maintainable firewall rules).

Choose Ports > Add

To create a new alias in pfSense for ports or other types of configurations,

1. Name: Enter a descriptive name for the alias. This will be used to reference this alias in firewall rules. For example, we might name it WEB_PORTS or WEB_ACCESS.
2. Description: Enter a brief description to help us remember what this alias is for. For example, “Common web service ports ruls.”
3. Type: Ensure the type is set to Port(s) since we are defining ports.
4. Port(s): Enter the ports we want to include in this alias. we can add a single port, such as 80 for HTTP or 443 for HTTPS, or we can add a range of ports, 1000:2000. We can also add multiple ports by separating them with commas.
5. Add Port: Use the Add Port button to add more ports to the alias as needed.

Once we entered all the necessary details, click Save to create the alias.

Once saved, you can use this alias in your firewall rules to simplify rule creation and management. This can be helpful when you frequently need to allow or block traffic on specific ports across your network.

We have successfully created a firewall alias named WEB_PORTS with ports 80 (HTTP) and 443 (HTTPS). This alias can be used to simplify rule creation for managing traffic involving these ports, such as allowing or blocking web traffic across the network.

Alias named SSH_BLOCK to represent the SSH port (22). This alias can be used in firewall rules to block or manage traffic related to SSH connections.

To proceed: Save the Alias: Click the Save button to save the alias.

To apply these changes and make them effective in pfSense:

Click on the green button labeled “Apply Changes” shown in the yellow notification bar to apply the newly created aliases to our firewall configuration.

Creating a NAT port forwarding rule in pfSense

Go to Firewall > NAT > Port Forward.

On the top menu, we can see the different types of Network Address Translation (NAT) configurations available in pfSense. Here’s what each of these options means:

1. Port Forward: This is used to redirect incoming traffic on a specific port or range of ports on the WAN (or any other interface) to a different port or IP address on an internal network. It’s commonly used for making internal services (e.g., web servers, FTP servers) accessible from outside the network.

2. 1:1 NAT: This configuration maps one public IP address to one internal IP address. It is a direct mapping where all traffic sent to the public IP is forwarded to the internal IP, and vice versa. It’s useful when you have multiple public IPs and want each to be associated with a unique internal IP.

3. Outbound:Outbound NAT, also known as Source NAT, is used to control how traffic originating from internal networks is presented to external networks. This is commonly configured to hide internal IP addresses behind a public IP address (usually the IP of the WAN interface). By default, pfSense automatically handles outbound NAT for private subnets.

4. NPT (Network Prefix Translation): This is specific to IPv6 and allows for the translation of IPv6 prefixes. It helps in translating one IPv6 prefix to another, enabling IPv6 address space to be mapped between different network segments. This can be useful for scenarios where IPv6 addresses need to be consistent across networks for communication purposes.

Each of these NAT types serves a different purpose based on the network’s needs and how traffic should be routed or translated between internal and external networks.

Click on the Add button to create a new port forwarding rule.

⚠️ Warning: Forwarding ports such as 22 (SSH) or 3389 (RDP) to external networks without safeguards like IP restrictions or VPN can make your network vulnerable to attacks. Ensure proper authentication and logging mechanisms are in place if you need to forward sensitive ports.

Configuring the Rule:

Interface: Choose the interface (WAN).

Protocol: Select the protocol

Source Address: Leave as Any unless you want to specify a source.

Source Ports: Leave as Any.

Destination Address: Select the interface IP address or specify a particular IP.

Destination Ports: Choose the port or alias for which you’re creating the rule.

Redirect Target IP: Enter the internal IP address of the device you want the traffic to be redirected to.

Redirect Target Port: Specify the port on the internal device.

Add a Description (optional): Provide a short description for easy identification.

Save and Apply: Click Save and then Apply Changes to activate the new rule.

We can now test if the NAT port forwarding rule works by trying to access the service from an external source.

The NAT configuration has been made but not applied yet. Click the green Apply Changes button in the top-right corner to make the configuration effective.

Firewall Rules

In the Firewall Rules configuration page for the WAN interface in pfSense we see:

Firewall / Rules / WAN: This is the section where you can create, modify, or delete firewall rules specific to traffic coming into the WAN (Wide Area Network) interface.

Top Tabs (Floating, WAN, LAN): These tabs allow us to switch between different interfaces or rule types:

Floating: Rules that can be applied globally across interfaces and can be configured to affect traffic in various directions.

WAN: Rules specifically for traffic entering through the WAN interface.

LAN: Rules for traffic moving within or exiting the internal network.

Drag to Change Order): This section lists all the firewall rules defined for the WAN interface. The order of rules matters because pfSense processes them from top to bottom; the first rule that matches the traffic stops further evaluation.

Columns

States: Indicates the state of each rule (active or inactive).

Protocol: Specifies the protocol that the rule applies to (TCP, UDP).

Source and Destination: Define the source and destination addresses the rule pertains to.

Port: Specifies the port or port range for the rule.

Gateway: Indicates if the rule is tied to a specific gateway.

Queue: Associated with traffic shaping for prioritization.

Schedule: Shows if the rule is applied according to a schedule.

Description: A brief description of the rule for easy identification.

Actions: Allows editing, deleting, or changing the rule’s position.

Note: the buttons we see buttons that helps manage rules for configuring access, restrictions, and NAT settings effectively in pfSense.

Add (green up arrow): Adds a new rule at the top of the rule list.

Add (green arrow): Adds a new rule at the bottom of the rule list.

Delete (red bin): Deletes selected rule(s).

Toggle (circle with a line): Enables or disables a rule.

Copy (square icon): Copies the selected rule for replication or modification.

Save (blue disk): Saves changes made to the rules.

Separator (orange plus): Adds a separator to organize rules for better visibility.

Firewall Rule Creation:

setup interface for creating or editing firewall rules in pfSense. This includes defining:

Action (Pass, Block, Reject)

Interface (WAN, LAN)

Protocol (TCP, UDP)

This is where specific criteria are set to control traffic through the firewall.

Source Address:

1. The Source field is set to any, which means the rule will apply to traffic coming from any IP address. This is a broad configuration, allowing the rule to match any incoming source.

2. Invert Match Option: The Invert match checkbox, if checked, would make the rule apply to any source except the one specified. In this case, it is unchecked, so the rule is not inverted.

3. Source Port Range: The Source Port Range is usually set to any, as shown in the explanatory note. This means that the rule applies to traffic regardless of the source port. The source port is often random in most connections and does not need to match the destination port.

The note explains that for most configurations, the source port range should remain as any, since specifying source ports is not common unless dealing with specific use cases (special server-to-server communication).

Destination Configuration:

Destination for a rule, which might involve setting custom ports (port aliases like WEB_PORTS).

Options for specifying destination port ranges and IP addresses are shown.

Advanced Parameters and Customizations:

The advanced settings show features like enabling/disabling reply-to, setting connection limits, and specifying state types for session management.

VLAN priorities and policy routing options are also adjustable, showcasing the depth of customization available.

These steps detail how rules are defined, modified, and managed within the pfSense interface, focusing on specifying traffic control criteria, applying security measures, and enhancing network traffic management.

After saving the rule we see a newly created firewall rule applied to the WAN interface in pfSense.

Rule Summary:

This rule allows IPv4 TCP traffic (as indicated under the Protocol column).

The Source is set to *, meaning it allows traffic from any source.

The Port for the source is unspecified (*), implying any port from the source can initiate this traffic.

The Destination is set to This Firewall, indicating that traffic is directed to the pfSense device itself.

The Port for the destination is set to WEB_PORTS, which is a port alias (presumably covering ports 80 and 443 for HTTP/HTTPS traffic).

Description:

The description of this rule reads pfsense web port rule, which suggests that this rule is designed to allow web traffic to the pfSense firewall.

Actions:

The icons under the Actions column allow to:

Anchor and prioritize the rule (as seen by the anchor icon).

Edit, disable, copy, or delete the rule using the corresponding icons.

Apply Changes:

A yellow notification banner at the top indicates that the rule configuration has been changed and needs to be applied to take effect. The green Apply Changes button confirms these changes.

This rule is structured to permit incoming TCP traffic on HTTP and HTTPS ports to the WAN interface of the pfSense firewall.

Afer Applying the Changes will see a green notification at the top states: “The changes have been applied successfully. The firewall rules are now reloading in the background. Monitor the filter reload progress.”

This indicates that a change to the firewall rules has been applied and is being reloaded. It means the new rule or changes made are now in effect.

Let’s create One more Rule that allows specific types of traffic (ICMP, web ports) to be monitored and passed based on the set parameters.

Creating and Editing Firewall Rules:

Action: Set to Pass, meaning that the rule will allow traffic that matches the criteria specified. If set to Block or Reject, the rule would deny traffic instead.

Disabled: This option is unchecked, indicating that the rule is active. If checked, the rule would be saved but not applied or processed.

Interface: Set to WAN, meaning this rule applies to traffic coming through the WAN (external) interface.

Address Family: Set to IPv4, meaning the rule applies specifically to IPv4 traffic. You could choose IPv6 or IPv4+IPv6 to match other types of traffic.

Protocol: Set to ICMP, which is the protocol used for network diagnostics and control messages, such as ping requests.

ICMP Subtypes: The value is set to any, meaning this rule will apply to any type of ICMP message. The dropdown shows examples of specific ICMP subtypes that could be chosen, such as Echo reply, Alternate Host, or

Datagram conversion error.

Source: The field is set to any, which means this rule applies to traffic coming from any IP address.

Invert match: This checkbox is unchecked. If enabled, the rule would match any source except the specified source address. Since it is unchecked, it matches the specified source as defined (in this case, any).

Destination: Set to This firewall (self), which indicates that the rule applies to traffic whose destination is the pfSense firewall itself. This is often used for managing incoming traffic to services running on the pfSense device, such as the web interface, VPN, or other services.

Invert match: This is also unchecked, meaning the rule will only apply to traffic explicitly heading to This firewall (self) and not to other destinations.

The “Log packets that are handled by this rule” option is enabled for monitoring.

Log: The checkbox for Log packets that are handled by this rule is checked.

This means that any packets matching the criteria of this rule will be logged by pfSense.

This option is useful for monitoring and troubleshooting purposes, allowing administrators to see which traffic is passing or being filtered by this specific rule.

A warning is displayed advising that local logging has limited space, suggesting the use of a remote syslog server for heavy logging needs.

Description: The field contains the text ICMP log management.

This is a user-defined description that helps identify the purpose of this rule. Descriptions make it easier to understand the context of the rule when reviewing firewall rules later.

Descriptions should be concise and meaningful; they will be displayed in the firewall rule list.

Advanced Options: The Display Advanced button is visible, which, when clicked, would reveal additional advanced configuration options for the rule.

These advanced settings typically include options for source operating systems, DiffServ Code Points (DSCP), TCP flags, and more specific state and tagging configurations.

Conclusion

By completing this guide, you now have a functioning pfSense setup. You’ve:

1. Configured network segmentation for better traffic control.

2. Created and tested basic firewall rules.

3. Monitored network traffic using logs.

This setup is a foundational step in building a robust cybersecurity lab. Continue exploring advanced features like VPNs, intrusion detection systems (IDS/IPS), and traffic shaping to expand your lab’s capabilities.

⚠️⚠️ ⚠️ ⚠️ Important Warnings
1. NAT Port Forwarding Risks
Forwarding sensitive ports like `22 (SSH)` or `3389 (RDP)` can expose your system to attacks. Always limit access by:
- Using VPNs or IP whitelisting.
- Enabling proper logging to monitor activity.

2. Configuration Backup
Before making significant changes, back up your settings:
- Navigate to `Diagnostics > Backup & Restore` in the Web UI.
- Export your current configuration.
This allows quick recovery if issues arise.