Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Configuration Recipes - Common Scenarios
pfSense Network Recipes - VLANs, Proxy, IPv6

pfSense Network Recipes - VLANs, Proxy, IPv6

This section provides network configuration recipes for pfSense covering segment isolation with VLANs, proxy server deployment, DNS filtering, traffic mirroring for intrusion detection systems, IPv6 configuration, and link aggregation.

Before following any recipe, create a configuration backup at Diagnostics - Backup & Restore. For foundational interface information, see the pfSense interfaces section.

Multi-Tenant Network Isolation with VLANs

VLANs partition a physical network into isolated logical segments. This applies to offices with multiple departments, co-working spaces, and multi-tenant environments requiring separate network access.

Step-by-Step

  1. Confirm the managed switch supports 802.1Q and a trunk port to pfSense is configured

  2. Navigate to Interfaces - VLANs and create a VLAN for each tenant:

    • Parent Interface - physical interface connected to the switch (e.g., igb1)
    • VLAN Tag - unique identifier (e.g., 100 for Tenant A, 200 for Tenant B)
    • Description - Tenant_A, Tenant_B

  3. Navigate to Interfaces - Assign and assign each VLAN as a separate interface

  4. Configure each interface:

    • IPv4 Configuration Type - Static IPv4
    • IPv4 Address - unique subnet (10.100.0.1/24 for Tenant A, 10.200.0.1/24 for Tenant B)

  5. Configure DHCP for each VLAN: Services - DHCP Server - select the tenant interface

  6. Create isolation rules on each tenant interface:

# Block inter-tenant traffic
Action: Block
Interface: Tenant_A
Source: Tenant_A net
Destination: Tenant_B net

# Allow internet access
Action: Pass
Interface: Tenant_A
Source: Tenant_A net
Destination: any

  1. Repeat the rules for each tenant, blocking access to all other segments

  2. On the managed switch, configure access ports for each VLAN

For detailed VLAN configuration, see the pfSense VLANs section.

Transparent Squid Proxy with SSL Inspection

Squid in transparent mode intercepts HTTP/HTTPS traffic without configuring proxy settings on clients. SSL inspection enables filtering of encrypted traffic but requires distributing a root certificate to client devices.

Step-by-Step

  1. Install the Squid package: System - Package Manager - Available Packages - squid

  2. Create an internal CA for SSL inspection:

    • Navigate to System - Cert Manager - CAs
    • Click Add and create a new CA:
      • Method - Create an internal Certificate Authority
      • Common Name - Squid Proxy CA
      • Key type - RSA, 2048 bit

  3. Navigate to Services - Squid Proxy Server - General:

    • Enable Squid Proxy - checked
    • Proxy Interface - LAN
    • Proxy Port - 3128
    • Transparent HTTP Proxy - checked
    • HTTPS/SSL Interception - checked
    • SSL/MITM Mode - Splice All (minimal intervention) or Bump All (full inspection)
    • CA - select the Squid Proxy CA
    • SSL Proxy Port - 3129

  4. Navigate to Services - Squid Proxy Server - ACLs and configure access lists:

    • Allowed Subnets - 192.168.1.0/24
    • Blacklist - add blocked domains as needed

  5. Export the CA certificate and distribute to client devices:

    • System - Cert Manager - CAs - export the CA certificate
    • Install into trusted root certificates on each client (via GPO for Windows domains)

  6. Navigate to Services - Squid Proxy Server - Real Time to monitor traffic

Warning: SSL inspection is a form of MITM interception. Users must be notified and consent obtained (in corporate environments, through an acceptable use policy). Applications using certificate pinning will not function through the proxy.

DNS Sinkhole with pfBlockerNG DNSBL

pfBlockerNG in DNSBL mode intercepts DNS queries to malicious and advertising domains, returning an empty response instead of the actual IP address. This functions similarly to Pi-hole, integrated directly into pfSense.

Step-by-Step

  1. Install the package: System - Package Manager - Available Packages - pfBlockerNG-devel

  2. Navigate to Firewall - pfBlockerNG - General:

    • Enable pfBlockerNG - checked
    • Keep Settings - checked

  3. Navigate to Firewall - pfBlockerNG - DNSBL:

    • Enable DNSBL - checked
    • DNSBL Mode - Unbound python mode (recommended)
    • DNSBL Virtual IP - 10.10.10.1 (virtual IP for blocking)
    • DNSBL Listening Port - 8081
    • DNSBL SSL Listening Port - 8443

  4. Navigate to the DNSBL Feeds tab and add block lists:

NameURLCategory
EasyListhttps://easylist.to/easylist/easylist.txtAdvertising
Steven Black Hostshttps://raw.githubusercontent.com/StevenBlack/hosts/master/hostsAdvertising + Malware
Malware Domain Listhttps://www.malwaredomainlist.com/hostslist/hosts.txtMalware

  1. For each feed, configure:

    • Action - Unbound
    • Update Frequency - Every 1 hour or Once a day

  2. Navigate to Firewall - pfBlockerNG - Update and click Run for initial list download

  3. Ensure DNS redirect is configured to prevent clients from bypassing DNSBL

  4. Monitor blocks: Firewall - pfBlockerNG - Reports - DNSBL

Traffic Mirroring (Port Mirror/SPAN) for IDS

Traffic mirroring copies traffic from one interface to another for analysis by intrusion detection systems (Suricata, Snort) without affecting primary traffic performance.

Step-by-Step

  1. Connect a dedicated network interface to pfSense for mirroring (e.g., igb2)

  2. Assign the interface: Interfaces - Assign - add igb2 as SPAN

  3. Enable the interface without an IP address:

    • IPv4 Configuration Type - None
    • IPv6 Configuration Type - None

  4. Configure mirroring via the pfSense shell (SSH or console):

ifconfig igb2 promisc up
  1. For persistent configuration, add to System - Advanced - System Tunables or via shellcmd:
/sbin/ifconfig igb2 promisc up

  1. Configure a bridge for mirroring:

    • Navigate to Interfaces - Bridges
    • Create a bridge with the SPAN Port parameter - select the source interface (LAN or WAN)
    • The SPAN Port copies all traffic to the selected interface

  2. Alternatively, use a managed switch:

    • Configure a SPAN/mirror session on the switch
    • Direct mirrored traffic to the pfSense port running IDS (e.g., Suricata)

  3. Install Suricata or Snort on pfSense and bind to the SPAN interface for analysis

For additional security configurations, see the security recipes section.

PPPoE Server for ISP/WISP

pfSense can function as a PPPoE server to provide internet access to subscribers. This is used by internet service providers and wireless ISPs (WISP).

Step-by-Step

  1. Navigate to Services - PPPoE Server

  2. Click Add and configure:

    • Interface - subscriber-facing interface (e.g., LAN or a dedicated OPT)
    • Total User Count - maximum number of subscribers
    • User Subnet - subnet for subscriber IPs (e.g., 10.10.0.0/16)
    • Server Address - pfSense IP in the subscriber subnet (10.10.0.1)
    • Remote Address Range - starting IP for subscribers (10.10.0.2)
    • DNS Servers - DNS server IPs for subscribers
    • RADIUS - configure a RADIUS server (FreeRADIUS) for accounting and authentication

  3. Create local PPPoE users (or use RADIUS):

    • System - User Manager - add users
    • Or install the FreeRADIUS package for centralized management

  4. Create firewall rules on the PPPoE interface:

Action: Pass
Interface: PPPoE
Source: PPPoE_net
Destination: any

  1. Configure NAT to translate subscriber addresses to WAN

  2. For bandwidth limiting, use Firewall - Traffic Shaper or limiters

Routing Public IP Subnets to Internal Servers

Scenario: the ISP has allocated a block of public IPs that need to be routed to internal servers without NAT (direct routing).

Step-by-Step

  1. Coordinate with the ISP to route the IP block through the pfSense WAN address

  2. Navigate to Firewall - Virtual IPs and add the addresses from the block:

    • Type - IP Alias or Other
    • Interface - WAN
    • Add each IP from the block

  3. If servers reside in a separate subnet (e.g., DMZ):

    • Assign public IPs directly to the servers
    • On the pfSense DMZ interface, configure a gateway for the public subnet

  4. Configure static routes if needed: System - Routing - Static Routes

  5. Create firewall rules to allow inbound traffic to the servers’ public IPs

  6. If servers use private IPs, configure NAT 1:1: Firewall - NAT - 1:1

For NAT configuration details, see the pfSense NAT section.

IPv6 Tunnel Broker (Hurricane Electric) Setup

Hurricane Electric provides free IPv6 tunnels for obtaining IPv6 connectivity over IPv4 infrastructure. pfSense supports GIF tunnel configuration for connecting to HE.

Step-by-Step

  1. Register at tunnelbroker.net and create a tunnel:

    • Specify the pfSense WAN public IPv4 address
    • Record the following:
      • Server IPv4 Address
      • Server IPv6 Address
      • Client IPv6 Address
      • Routed /48 or /64 prefix

  2. On pfSense, navigate to Interfaces - GIFs and create a GIF tunnel:

    • Parent Interface - WAN
    • GIF Remote Address - Server IPv4 Address from HE
    • GIF tunnel local address - Client IPv6 Address
    • GIF tunnel remote address - Server IPv6 Address
    • Route caching - disable

  3. Navigate to Interfaces - Assign and assign the GIF tunnel as a new interface (HE_IPv6)

  4. Configure the interface:

    • IPv6 Configuration Type - Static IPv6
    • IPv6 Address - Client IPv6 Address /128 (already configured via GIF)

  5. Navigate to System - Routing - Gateways and add an IPv6 gateway:

    • Interface - HE_IPv6
    • Gateway - Server IPv6 Address

  6. Configure LAN for IPv6 distribution:

    • Navigate to Interfaces - LAN
    • IPv6 Configuration Type - Static IPv6
    • IPv6 Address - first address from the Routed /64 prefix

  7. Enable IPv6 distribution via Router Advertisements:

    • Services - Router Advertisements - LAN
    • Router Mode - Assisted or Unmanaged
    • Router Priority - Normal

  8. Navigate to System - Routing and set the default IPv6 gateway

Dual-Stack IPv4+IPv6 Deployment

Dual-stack provides simultaneous IPv4 and IPv6 operation on all interfaces. Clients receive addresses from both stacks and use the preferred protocol for each connection.

Step-by-Step

  1. Confirm the ISP provides IPv6 connectivity (native or via DHCPv6-PD)

  2. Configure WAN for IPv6:

    • Navigate to Interfaces - WAN
    • IPv6 Configuration Type - DHCPv6
    • DHCPv6 Prefix Delegation Size - select the delegated prefix size (typically /56 or /48)
    • Send IPv6 prefix hint - checked
    • Do not wait for a RA - checked (if needed)

  3. Configure LAN for IPv6 distribution:

    • Navigate to Interfaces - LAN
    • IPv6 Configuration Type - Track Interface
    • IPv6 Interface - WAN
    • IPv6 Prefix ID - 0

  4. Configure Router Advertisements: Services - Router Advertisements - LAN

    • Router Mode - Assisted (SLAAC + DHCPv6)

  5. Configure DHCPv6 if needed: Services - DHCPv6 Server & RA - LAN

  6. Ensure firewall rules account for IPv6 traffic:

    • Create LAN rules for IPv6 similar to IPv4
    • pfSense blocks inbound IPv6 traffic on WAN by default

  7. Test dual-stack: open test-ipv6.com from a client device

For additional IPv6 configuration details, see the pfSense IPv6 section.

LAGG Bonding for High Availability Links

LAGG (Link Aggregation) combines multiple physical interfaces into a single logical channel to increase throughput and provide failover capability.

Step-by-Step

  1. Confirm the switch supports LACP (802.3ad) and the relevant ports are configured

  2. Navigate to Interfaces - LAGGs and click Add:

    • Parent Interfaces - select two or more interfaces (e.g., igb0, igb1)
    • LAGG Protocol:
      • LACP - IEEE 802.3ad, requires switch support (recommended)
      • Failover - active/passive, no switch support required
      • Loadbalance - load balancing
      • Roundrobin - round-robin
    • Description - LAGG_WAN or LAGG_LAN

  3. Navigate to Interfaces - Assign and assign the LAGG as an interface (replacing the individual physical interfaces)

  4. Configure an IP address on the LAGG interface

  5. Remove assignments from the original physical interfaces (they are now LAGG members)

  6. On the switch, configure an LACP port-channel on the corresponding ports

  7. Verify LAGG status: Status - Interfaces or via console:

ifconfig lagg0
  1. Test failover: disconnect one cable and verify that connectivity is maintained

Important: when using LACP, both ends (pfSense and the switch) must be configured for LACP. A protocol mismatch results in connectivity loss. In Failover mode, the switch does not require special configuration.

Last updated on
Common pfSense Configuration RecipespfSense Security Recipes - Hardening and IDS