PFSENSE Rules
PFSENSE Rules
Hi Linus,
I really appreciate your support. I'm just starting with configuring my pfSense firewall and face this issue—after setting up rules on my LAN, I can't reach the internet. I need to allow specific ports like 53, 80, or 443. Could you help me? I'm from the Philippines and attached the relevant file. You mentioned disabling access for certain ports; please let me know how that should work. Thanks!
They are outbound instructions, not incoming ones. The source port won't be 53/80/443. That needs to be the target port. Adjust the Rules to match this format; Protocol - IPv4 UDP Source - Wifi network Source Port - * Destination Port - 53 (UDP) Gateway - * Protocol - IPv4 TCP Source - Wifi network Source Port - * Destination Port - 80 (TCP) Gateway - * Protocol - IPv4 TCP Source - Wifi network Source Port - * Destination Port - 443 (TCP) Gateway - *
There seems to be no valid justification for restricting ports. Users can easily circumvent them via a VPN on port 443.
It's really tough to manage the surrounding conditions, particularly with WiFi setups like pfSense. I thought my inquiry might help clarify what you're referring to. From what I see, WiFi on pfSense isn't the best option in many cases because it lacks the full capabilities of dedicated access points.
It doesn't matter the source of network packets—WiFi or Ethernet—when using IDS/IPS solutions like Snort or Suricata, you can perform deep packet inspection and stop any VPN traffic. It will be automatically dropped by the firewall and removed from the state table. If you can't bypass the edge firewall, your chances of accessing a VPN are minimal. Most VPNs rely on UDP packets, which are straightforward to detect and block at the firewall. Keep in mind that controlling the edge device between WAN and LAN gives you complete authority over user access. Gaining the expertise to apply this effectively requires experience.
I get it, but the original poster didn't reference this arrangement.
The issue was addressed by someone suggesting bypassing VPNs through TCP 443. @MikeSan recommended using IDS/IPS solutions like Snort or Suricata, which pfSense supports. I expanded on this to provide clearer insights for your reference, noting that managing traffic is challenging, but as the gateway, you can influence inbound and outbound activity based on your router/firewall capabilities.
Wireless or wired doesn't matter; the focus isn't on "especially dealing with wifi." Devices can connect via a laptop to a LAN drop just as easily. If you manage the environment, you control which devices join your network. On corporate settings, personal gadgets aren't typically permitted. There are various methods to handle rogue devices. Even if a security method exists, don't be lenient and skip it. Another reason for these firewall rules is to safeguard other LAN segments—no need to expose your WiFi network when accessing critical servers. This might be what you were seeking, though I assumed it was implied.