Common pfSense Configuration Recipes

This section collects the most frequently requested pfSense configuration recipes. Each recipe includes a task description and step-by-step instructions. The recipes assume familiarity with basic pfSense configuration and the web management interface.

Before following any recipe, create a configuration backup: Diagnostics - Backup & Restore. This enables rollback in case of errors.

Transparent Firewall (Transparent Bridge)

A transparent firewall operates at OSI layer 2, filtering traffic without modifying the network’s IP addressing. pfSense is placed between two network segments as an invisible bridge, allowing traffic filtering without reconfiguring IP addresses on hosts.

Step-by-Step

1. Navigate to Interfaces - Assign and confirm both interfaces (e.g., WAN and LAN) are assigned
2. Navigate to Interfaces - Bridges and create a bridge:
   • Member Interfaces - select both interfaces
3. Navigate to Interfaces - Assign, assign the created bridge as a new interface (e.g., BRIDGE0)
4. Configure an IP address on the bridge interface (for pfSense management access)
5. Remove IP addresses from the original member interfaces
6. Navigate to System - Advanced - System Tunables and set:
   • net.link.bridge.pfil_member = 0
   • net.link.bridge.pfil_bridge = 1
7. Create firewall rules on the bridge interface to filter traffic

Important: in bridge mode, pfSense does not perform NAT. Routing remains on the upstream router. Firewall rules apply to the bridge interface, not to individual bridge members.

DNS over TLS (DoT)

DNS over TLS encrypts DNS queries between pfSense and upstream DNS servers, protecting them from interception and modification by ISPs or attackers.

Step-by-Step

1. Navigate to System - General Setup
2. Configure DNS servers with DoT support:

3. Navigate to Services - DNS Resolver
4. Enable DNS Resolver if not already enabled
5. Enable DNS Query Forwarding
6. Enable Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
7. In the Custom Options section, add (optional):

server:
  tls-cert-bundle: "/etc/ssl/cert.pem"

8. Save and apply changes

DNS over HTTPS (DoH)

pfSense does not natively support DoH in the DNS Resolver. To implement DoH, use the dns-over-https-proxy package or configure Unbound to forward to a local DoH proxy. DoT is the recommended option for pfSense.

Blocking Specific Countries (GeoIP)

GeoIP blocking restricts traffic from specific countries. This is used to protect servers from mass attacks originating from regions with no business relationship.

Step-by-Step

1. Register at MaxMind.com and obtain a free GeoLite2 license key
2. Navigate to Firewall - Aliases and create a new alias:
   • Name - e.g., Blocked_Countries
   • Type - URL Table (IPs)
   • URL - enter the URL for IP ranges of the target countries
3. Alternative approach - install the pfBlockerNG package:
   • System - Package Manager - Available Packages - pfBlockerNG-devel
   • Configure GeoIP under Firewall - pfBlockerNG - GeoIP
   • Select continents and countries to block
   • pfBlockerNG automatically creates aliases and firewall rules
4. Create a block rule on WAN:

Action: Block
Interface: WAN
Source: Blocked_Countries (alias)
Destination: any

Warning: GeoIP databases are not 100% accurate. VPNs and proxy servers can bypass geographic blocking. Use GeoIP as an additional layer of defense, not the sole control.

Port Knocking

Port knocking is a method of hiding services by requiring a sequence of connection attempts to specific ports before granting access. It is implemented through a series of firewall rules with state tracking.

Step-by-Step

1. Define the port sequence (e.g., TCP 7000, TCP 8000, TCP 9000)
2. Navigate to Firewall - Rules - WAN
3. Create rules for each step in the sequence using pf anchors via custom rules or the knockd package:

Package-based approach:

1. Install the package via pkg: connect to the pfSense console
2. Create a knockd configuration file:

[options]
  logfile = /var/log/knockd.log

[openSSH]
  sequence    = 7000,8000,9000
  seq_timeout = 10
  command     = /sbin/pfctl -t knock_allowed -T add %IP%
  tcpflags    = syn

[closeSSH]
  sequence    = 9000,8000,7000
  seq_timeout = 10
  command     = /sbin/pfctl -t knock_allowed -T delete %IP%
  tcpflags    = syn

3. Create a knock_allowed alias table in the firewall rules
4. Create a rule on WAN allowing SSH access from sources in the knock_allowed table

Forced DNS Redirect (Traffic Redirect)

DNS redirect forces all DNS queries from LAN to pass through the pfSense DNS server, even when clients have hardcoded alternative DNS servers (e.g., 8.8.8.8 configured directly on a device).

Step-by-Step

1. Navigate to Firewall - NAT - Port Forward
2. Create a redirect rule:

Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Source port: any
Destination: any (Invert Match disabled)
Destination: NOT "LAN Address" (to exclude queries to pfSense itself)
Destination port: 53
Redirect target IP: 127.0.0.1
Redirect target port: 53

3. Repeat for DNS over TLS (port 853) to block direct DoT queries from clients:

Action: Block
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: any
Destination port: 853

4. Confirm the DNS Resolver is running and bound to the LAN interface

Multiple Public IPs

Scenario: the ISP has provided a block of public IP addresses, and different IPs need to be mapped to different internal servers.

Step-by-Step

1. Navigate to Firewall - Virtual IPs and add each additional public IP:
   • Type - IP Alias (if the IP is from the same subnet as WAN) or Other (for separate subnets)
   • Interface - WAN
   • Address - the public IP address
2. Navigate to Firewall - NAT - 1:1 to create one-to-one mappings:
   • Interface - WAN
   • External subnet IP - public IP
   • Internal IP - private IP of the internal server
3. Or use Firewall - NAT - Port Forward to redirect specific ports:
   • Destination - select the Virtual IP
   • Redirect target IP - internal server IP
4. Create firewall rules on WAN to allow inbound traffic to the Virtual IPs

For NAT configuration details, see the pfSense NAT section.

DMZ Setup

A DMZ (Demilitarized Zone) is an isolated network segment for servers accessible from the internet. The DMZ separates public-facing servers from the internal network.

Step-by-Step

1. Connect a third network interface to pfSense (physical or VLAN)
2. Navigate to Interfaces - Assign and assign the new interface
3. Configure the DMZ interface:
   • IPv4 Address - e.g., 10.0.100.1/24
   • Enable Interface - checked
4. Configure DHCP for DMZ (optional): Services - DHCP Server - DMZ
5. Create firewall rules:

On WAN - allow inbound traffic to DMZ servers:

Action: Pass
Interface: WAN
Destination: DMZ net (specific servers and ports)

On DMZ - allow servers internet access, deny access to LAN:

Action: Block
Interface: DMZ
Source: DMZ net
Destination: LAN net

Action: Pass
Interface: DMZ
Source: DMZ net
Destination: any

On LAN - allow access from LAN to DMZ (optional):

Action: Pass
Interface: LAN
Source: LAN net
Destination: DMZ net

6. Configure NAT Port Forward to map ports from WAN to DMZ servers

Secure Remote Administration

Remote access to the pfSense web GUI over the internet requires additional security measures.

Step-by-Step

1. Change the web GUI port: System - Advanced - Admin Access, set a non-standard HTTPS port (e.g., 8443)
2. Restrict access by IP: create an alias with permitted administrator IP addresses
3. Create a rule on WAN:

Action: Pass
Interface: WAN
Protocol: TCP
Source: Admin_IPs (alias)
Destination: WAN address
Destination port: 8443

4. Recommended approach - use VPN instead of direct access:

   • Configure OpenVPN or WireGuard on pfSense (see VPN section)
   • Connect to pfSense through the VPN tunnel
   • Do not expose the web GUI on WAN

5. Enable brute-force protection: System - Advanced - Login Protection

   • Set the lockout threshold (e.g., 5 attempts within 5 minutes)
   • Lockout duration: 30 minutes

Bandwidth Monitoring per IP

Track bandwidth consumption by each host on the network.

Step-by-Step

1. Built-in monitoring - Status - Traffic Graph:

   • Shows real-time traffic per interface
   • Limited to the current moment with no historical data

2. ntopng package (recommended for detailed monitoring):

   • Install: System - Package Manager - Available Packages - ntopng
   • Configure: Diagnostics - ntopng Settings
   • Select interfaces to monitor (LAN, WAN)
   • ntopng web interface available at https://pfSense_IP:3001

3. Darkstat package (lightweight alternative):

   • Install through Package Manager
   • Configure monitoring interfaces
   • Displays statistics by host and protocol

4. BandwidthD package:

   • Generates per-IP bandwidth consumption graphs
   • Stores historical data
   • Suitable for reporting

For comprehensive pfSense monitoring with Prometheus, see the monitoring section.

VPN with Split DNS

Split DNS separates name resolution: corporate domains resolve through an internal DNS server via VPN, while all other queries use public DNS servers.

Step-by-Step

1. Configure an OpenVPN server on pfSense (see VPN section)

2. In the OpenVPN server settings:

   • Do not enable the Redirect IPv4 Gateway flag (to avoid routing all traffic through VPN)
   • In the DNS Server field, enter the IP address of the corporate DNS server
   • In the DNS Domain field, enter the corporate domain (e.g., corp.example.com)

3. Navigate to Services - DNS Resolver

4. Under Domain Overrides, add an entry:

   • Domain - corporate domain (corp.example.com)
   • IP Address - internal DNS server address

5. Configure routing:

   • In the OpenVPN server settings, add IPv4 Local Network - subnets accessible through VPN
   • The client receives routes only to the specified subnets

6. On the client side, ensure the corporate domain DNS suffix is delivered through the VPN connection

For general VPN configuration, see the pfSense VPN section. Troubleshooting topics are covered in the troubleshooting guide .