https://mediawiki.comfac.net/index.php?action=history&feed=atom&title=Training%3A_Interfaces_and_Firewall_Rules
Training: Interfaces and Firewall Rules - Revision history
2026-06-05T11:00:51Z
Revision history for this page on the wiki
MediaWiki 1.45.1
https://mediawiki.comfac.net/index.php?title=Training:_Interfaces_and_Firewall_Rules&diff=227&oldid=prev
Justinaquino: Created page with "__NOTOC__ <div style="background-color:#e6f3ff; border:1px solid #0066cc; padding:10px; margin-bottom:15px;"> '''Module: FUND001-LIVE Section 2 — Interfaces, VIPs, and Firewall Rules'''<br> This training module covers pfSense interface configuration, Virtual IP types, firewall rules, aliases, and best practices for rule management. </div> == Learning Objectives == By the end of this module, you will be able to: * Understand OS interface names versus pfSense interfa..."
2026-04-23T06:58:28Z
<p>Created page with "__NOTOC__ <div style="background-color:#e6f3ff; border:1px solid #0066cc; padding:10px; margin-bottom:15px;"> '''Module: FUND001-LIVE Section 2 — Interfaces, VIPs, and Firewall Rules'''<br> This training module covers pfSense interface configuration, Virtual IP types, firewall rules, aliases, and best practices for rule management. </div> == Learning Objectives == By the end of this module, you will be able to: * Understand OS interface names versus pfSense interfa..."</p>
<p><b>New page</b></p><div>__NOTOC__<br />
<br />
<div style="background-color:#e6f3ff; border:1px solid #0066cc; padding:10px; margin-bottom:15px;"><br />
'''Module: FUND001-LIVE Section 2 — Interfaces, VIPs, and Firewall Rules'''<br><br />
This training module covers pfSense interface configuration, Virtual IP types, firewall rules, aliases, and best practices for rule management.<br />
</div><br />
<br />
== Learning Objectives ==<br />
<br />
By the end of this module, you will be able to:<br />
<br />
* Understand OS interface names versus pfSense interface identifiers<br />
* Configure and manage interfaces in pfSense<br />
* Identify and apply appropriate Virtual IP (VIP) types<br />
* Create and manage firewall rules with proper ordering<br />
* Use aliases to simplify and streamline rulesets<br />
* Apply firewall best practices and troubleshooting techniques<br />
<br />
== Interfaces ==<br />
<br />
=== OS Interface Names vs. Interface Identifiers ===<br />
<br />
In pfSense, network interfaces have two naming conventions:<br />
<br />
* '''OS Interface Names''' — Physical or virtual NIC names assigned by the operating system (e.g., <code>igb0</code>, <code>re1</code>, <code>ixl2</code>)<br />
* '''Interface Identifiers''' — User-friendly labels assigned within pfSense (e.g., <code>LAN</code>, <code>WAN</code>, <code>OPT1</code>)<br />
<br />
Key tasks:<br />
* Interface Assignments — mapping OS names to pfSense identifiers<br />
* Configuring Interfaces — setting IP addresses, enabling/disabling, and renaming<br />
<br />
== Virtual IPs (VIPs) ==<br />
<br />
Virtual IPs allow multiple IP addresses to be assigned to a single interface.<br />
<br />
=== VIP Types ===<br />
<br />
{| class="wikitable"<br />
! VIP Type<br />
! MAC Address Binding<br />
! NAT Service<br />
! ARP<br />
! HA<br />
! Ping<br />
! Single/Range<br />
|-<br />
| IP Alias<br />
| Parent NIC<br />
| Yes<br />
| Yes<br />
| Yes<br />
| Yes<br />
| Single<br />
|-<br />
| CARP<br />
| Shared vMAC<br />
| Yes<br />
| Yes<br />
| Yes<br />
| Yes<br />
| Single<br />
|-<br />
| Proxy ARP<br />
| Parent NIC<br />
| Yes<br />
| No<br />
| No<br />
| No<br />
| Either<br />
|-<br />
| Other<br />
| N/A<br />
| No<br />
| No<br />
| Yes<br />
| No<br />
| Either<br />
|}<br />
<br />
* '''IP Alias''' — Most common type; binds additional IPs to the parent NIC<br />
* '''CARP''' — Used for high availability; shares a virtual MAC address between redundant firewalls<br />
* '''Proxy ARP''' — Responds to ARP requests on behalf of another IP; no service binding<br />
* '''Other''' — For miscellaneous purposes such as 1:1 NAT without ARP<br />
<br />
== Firewall Rules ==<br />
<br />
=== Core Concepts ===<br />
<br />
* Rules apply '''inbound''' on the interface where traffic is sourced<br />
* '''First match wins''' — all subsequent rules are ignored for matching traffic<br />
* '''Stateful filtering''' — pfSense tracks connection states automatically<br />
* Actions: '''Pass''', '''Block''', and '''Reject'''<br />
<br />
=== Default Rules ===<br />
<br />
The following default rules are present on a new installation:<br />
<br />
* '''Block private networks''' — Blocks RFC 1918 traffic on WAN<br />
* '''Block bogon networks''' — Blocks unassigned/reserved IP space<br />
* '''Anti-lockout rule''' — Prevents administrators from locking themselves out<br />
* '''Default LAN Allow rule''' — Permits all outbound traffic from LAN<br />
<br />
=== Rule Evaluation Order ===<br />
<br />
# Floating Rules<br />
# Interface Group Rules<br />
# Single Interface Rules<br />
<br />
=== Floating Rules ===<br />
<br />
* Can apply to '''all interfaces'''<br />
* Checked '''first''' in evaluation order<br />
* Extra '''"match"''' action available<br />
* Can set traffic attributes (limiters, queues, etc.)<br />
* '''Not meant for regular access rules''' — primarily for traffic-shaping and advanced filtering<br />
<br />
=== Interface Groups ===<br />
<br />
* Association of multiple interfaces<br />
* '''Shared firewall ruleset''' across grouped interfaces<br />
* Eliminates need to duplicate rules between interfaces<br />
<br />
=== Advanced Settings ===<br />
<br />
Firewall rules support numerous advanced options:<br />
<br />
* Source OS (TCP only)<br />
* Diffserv Code Point (DSCP)<br />
* State type<br />
* TCP flags<br />
* No XMLRPC Sync<br />
* 802.1p<br />
* Schedule<br />
* Gateway<br />
* Limiters (In/Out)<br />
* ACK queue / Queue<br />
<br />
== Aliases ==<br />
<br />
Aliases simplify firewall rule management by grouping IPs, networks, hostnames, or ports under a single name.<br />
<br />
=== Benefits ===<br />
<br />
* Ease management<br />
* Faster, less error-prone updates<br />
* Shorter, more manageable rulesets<br />
<br />
=== Configuration Options ===<br />
<br />
* Statically configured<br />
* URL — one-time import, suitable for small lists<br />
* URL table — configurable update frequency, supports large and small lists<br />
* Nesting of aliases (aliases within aliases)<br />
* Bulk import<br />
<br />
== Best Practices ==<br />
<br />
* Follow '''default deny philosophy''' — allow only what is required, block all else<br />
* Keep rulesets '''short and clean'''<br />
* '''Periodic review''' of rules (recommended: quarterly)<br />
* Remember rules apply on the '''interface where traffic is sourced'''<br />
* Use '''aliases''' extensively in your rules<br />
<br />
== Troubleshooting ==<br />
<br />
When diagnosing firewall issues:<br />
<br />
* Remember: '''first match wins'''<br />
* Verify rules apply on the correct interface<br />
* '''Enable logging''' on suspect rules<br />
* Check '''states''' (Diagnostics > States)<br />
* Review '''System Logs > Firewall''' for blocked traffic<br />
<br />
== Summary ==<br />
<br />
{| class="wikitable"<br />
! Key Takeaway<br />
! Details<br />
|-<br />
| VIP Selection<br />
| Use appropriate VIP types (IP Alias, CARP, Proxy ARP) based on needs<br />
|-<br />
| Rule Ordering<br />
| Evaluation order: Floating → Interface Group → Single Interface<br />
|-<br />
| Aliases<br />
| Use aliases to keep rulesets manageable and reduce errors<br />
|-<br />
| Review Schedule<br />
| Check rules quarterly for accuracy and relevance<br />
|-<br />
| Interface Awareness<br />
| Rules apply on the interface where traffic is sourced<br />
|-<br />
| Floating Rules<br />
| Primarily for traffic-shaping, not regular access control<br />
|}<br />
<br />
This concludes Section 2.<br />
<br />
----<br />
<br />
'''Next Module:''' [[Training_Lab_2:_Firewall_Rules_and_Aliases|Lab 2 — Firewall Rules and Aliases]]<br />
<br />
''Source: Netgate FUND001-LIVE-SLIDE-SEG2-RULES.pdf''</div>
Justinaquino