Configuring pfSense Firewall

In this part of setting up our homelab, we’re going to define the firewall rules for our networks in pfSense.

Logging in to pfSense

Open browser on your Kali machine and enter the IP address of the pfSense interface. Recall that this IP address is the gateway address for the LAN interface of our pfSense router, 10.0.10.1.

Alternatively, you can log in to pfSense from the WAN interface. In the pfSense machine, type “8” to enter the shell. Then enter the following command to disable the shell:

#pfclt -d

When finished configuring the firewall, remember to re-enable the firewall with:

#pfctl -e

To log in to pfSense from the WAN interface, you’ll enter the IP of vtnet0. In my case, it is 10.0.0.11. For this tutorial, I’m going to used the Kali machine installed on the LAN interface.

You’re going to get a warning because the certificate for this site is self-signed. Click “Accept the Risk and Continue.”

Initial Setup

The next screen will be the wizard for the initial configuration of pfSense. Click next and next again.

The default credentials are “admin” for the username and “pfsense” for the password.

I’m using Cloudflare’s DNS server (1.1.1.1) as my primary server and Google’s (8.8.8.8) as my backup. Click “Override DSN” if you want to use your home router’s DNS servers instead.

Choose your time zone accordingly.

On step 4, uncheck the “Block private networks from entering via WAN” since our WAN interface is our internal home network and not the internet. We’ll let some devices on this network communicate with this lab network.

Step 5 should remain unchanged, as the subnet configuration should be consistent with the initial setup when installing pfSense.

Set a new admin password for step 6. ( Please make use to change the default password)

Click "reload" and then click "finish" on the following screen. Accept the license agreement that pops up afterwards.

Label Interfaces

Next, we’re going to label our interface. On the menu-bar, click interfaces, then LAN. Change LAN to Kali. ( you can name it however you like it for your understanding) Then click save.

Create Aliases

We’re going to create an alias for RFC1918 private networks. This alias will be used in some firewall rules to reference the private address space in later steps.

Click firewall, then aliases, then hit the “Add” button.

Type in a description and IP ranges shown. Then save.

Again, on the menu-bar, click interfaces, then OPT1. Change OPT1 to AD network( name it at your own convenience) .

Then click save.

WAN Firewall Rules

We want the following rules for our WAN interface:

- Allow devices on the WAN to access the router.

- Allow devices on the WAN to access the Kali/LAN network for ssh or remote desktop access.

- Block access from the WAN to the AD network.

On the top menu, click “Firewall,” then “Rules.”

Make sure the WAN tab is highlighted, then press “Add.”

WAN Access to pfSense Web Interface

The first rule we’re going to add is WAN access to the router so we can log in from that network. Here’s the setup:

We’re only allowing traffic to pass to the firewall on port 443 to logging in. Save the changes. We don’t have to apply changes until all of the firewall rules are made.

WAN to LAN Access

Next is allowing access from the WAN to the LAN:

Block Access to Active Directory Network

Block all access to the Active Directory (AD) network. Note the action is Block:

The end state should look like this:

LAN Firewall Rules

No changes are need for the LAN interface. We want this network to be able to communicate with all of the other networks for now.

AD Network Rules

Navigate to the AD_Network interfce. For our Active Directory Network, we want the following rules:

- Access to the default gateway for internet access

- Allow traffic to internet addresses

- Allow packets to the Kali machine

- Block all other traffic

Access Default Gateway

Save it and start adding another rule for below

Allow Routing to Internet Addresses

Remember to check the “Invert match” box for the destination. For the destination address, the RFC1918 alias should come up as an autofill option once you start typing.

Save it and start adding another rule for below

Allow Access to LAN

Click on apply changes. Our firewall rules are now done.

And with that, our firewall configuration is complete. Now that we have control over the flow of traffic between our networks, it's time to set up the Active Directory network. Following that, we'll configure our monitoring systems to simulate alerting us of any suspicious activity on the network.