Justinaquino: Create Introduction Training Module 0 - personal/small business firewall setup

2026-04-23T07:21:00Z

Create Introduction Training Module 0 - personal/small business firewall setup

New page

__NOTOC__
<div style="background:#fff3e0; border:1px solid #ffb74d; border-radius:4px; padding:12px 16px; margin-bottom:20px;">
'''Comfac Entry-Level Training: Module 0''' — Setting Up a Firewall for Yourself. The most common, practical starting point before advancing to the full FUND001 curriculum.
</div>

== Target Audience ==
* Home users who want to secure their network
* Small business owners (1–10 employees)
* IT staff new to networking before they tackle enterprise deployments
* Anyone who has never configured a router or firewall before

== Learning Objectives ==
By the end of this module, you will be able to:
* Explain why a firewall is necessary for homes and small offices
* Install pfSense on an old PC or VM with minimum hardware
* Configure basic WAN and LAN interfaces
* Set up essential firewall rules (allow outgoing, block incoming)
* Configure port forwarding for common services
* Set up a basic WireGuard VPN for remote access
* Back up and update the firewall configuration
* Diagnose common connectivity problems

== Module 0: Why You Need a Firewall ==
=== The Threats at Home and Small Office ===
Most people rely on the "router" provided by their ISP. These devices are:
* '''Minimally configured''' — often with default passwords and outdated firmware
* '''Poorly maintained''' — ISPs rarely push security updates promptly
* '''Limited in features''' — no VPN, no traffic logging, no intrusion detection

'''Common risks:'''
* Unauthorized remote access to cameras, NAS, printers
* Malware spreading between family/employee devices
* Cryptojacking, ransomware, botnet participation
* Data exfiltration from poorly secured IoT devices

'''What a firewall gives you:'''
* '''Stateful inspection''' — only allows return traffic for connections you initiated
* '''Network segmentation''' — isolate guests, IoT, and work devices
* '''VPN access''' — securely access your home/office network from anywhere
* '''Logging & visibility''' — see what devices are doing on your network
* '''Ad and malware blocking''' — integrate with DNS blocklists (Pi-hole)

== Module 1: Hardware and Installation ==
=== Minimum Hardware ===
{| class="wikitable"
! Component !! Minimum !! Recommended
|-
| CPU || 64-bit, 1 GHz || 64-bit, 2+ cores, AES-NI support
|-
| RAM || 1 GB || 4 GB
|-
| Storage || 8 GB SSD/USB || 32 GB SSD
|-
| NICs || 2 Ethernet ports || Intel i210/i350 dual/quad port NIC
|}

'''Good sources of cheap hardware:'''
* Old office desktops (Dell OptiPlex, HP EliteDesk)
* Thin clients with PCIe slot for NIC
* Used 1U servers (noisy but cheap)
* Protectli/Qotom mini-PCs (purpose-built, fanless)

'''Installation methods:'''
# Download pfSense CE ISO from https://www.pfsense.org/downloads
# Write to USB with Rufus (Windows) or dd (Linux)
# Boot from USB, install to SSD/HDD
# Remove USB, reboot
# Default LAN: 192.168.1.1

== Module 2: First Boot and Basic Setup ==
=== The Setup Wizard ===
# Connect laptop to LAN port
# Browse to https://192.168.1.1
# Log in: admin / pfsense
# Complete the wizard:
#* '''General Info''' — Set hostname (e.g., homefw), domain (local)
#* '''Time Server''' — Use default or local NTP
#* '''WAN''' — Select DHCP (most home/DSL) or PPPoE (some fiber)
#* '''LAN''' — Leave 192.168.1.1/24 or change to obscure subnet (e.g., 10.47.83.1/24)
#* '''Password''' — Change from default immediately

'''Why change from 192.168.1.1?''' If you later connect via VPN from a coffee shop that also uses 192.168.1.x, your traffic may not route correctly. Using an obscure subnet avoids this.

=== Essential Post-Setup ===
# '''System -> General Setup''' — Set timezone, language
# '''System -> Advanced -> Networking''' — Disable NAT reflection if not needed
# '''System -> Update''' — Check for updates immediately
# '''Diagnostics -> Backup & Restore''' — Download first config backup

== Module 3: Essential Firewall Rules ==
=== Default Rules (pfSense handles these automatically) ===
* '''LAN''' — Allow all (default)
* '''WAN''' — Block all (implicit, not shown)

=== Best Practice: Restrict LAN Outbound ===
For a more secure home/small office, replace "LAN allow all" with specific allowed protocols:

{| class="wikitable"
! Protocol !! Port !! Purpose
|-
| TCP/UDP || 53 || DNS
|-
| TCP/UDP || 123 || NTP
|-
| TCP/UDP || 443 || HTTPS
|-
| TCP || 80 || HTTP (optional)
|-
| TCP/UDP || 5222 || XMPP/chat (optional)
|}

'''How to do it:'''
# Firewall -> Rules -> LAN
# Delete the default "Allow All" rule
# Add rules for each protocol/port above
# Add a final "Block" rule at the bottom (with logging enabled)

'''Note:''' This breaks some apps/games. For a family home, "Allow All" outbound is usually fine. For a business, restrict outbound.

== Module 4: Port Forwarding ===
=== Common Scenarios ===
{| class="wikitable"
! Service !! External Port !! Internal IP !! Internal Port !! Notes
|-
| Minecraft server || 25565 || 192.168.1.50 || 25565 || Gaming
|-
| Camera/DVR || 8080 || 192.168.1.60 || 80 || Change default port
|-
| NAS/Web || 443 || 192.168.1.70 || 443 || Use reverse proxy if multiple services
|-
| Plex || 32400 || 192.168.1.80 || 32400 || Remote streaming
|}

'''Steps:'''
# Firewall -> NAT -> Port Forward
# Click Add
# Interface: WAN
# Protocol: TCP (or TCP/UDP)
# Destination: WAN Address
# Destination Port Range: external port
# Redirect Target IP: internal server IP
# Redirect Target Port: internal port
# Save → Apply

'''Security tip:''' Don't forward RDP (3389) or SSH (22) directly. Use a VPN instead.

== Module 5: WireGuard VPN (Road Warrior) ==
=== Why VPN beats port forwarding ===
* One secure tunnel instead of many open ports
* Access your entire network as if you were there
* Works on phones, laptops, tablets
* No need to expose individual services

=== Setup Steps ===
# Install '''WireGuard package''' — System -> Package Manager -> Available Packages
# VPN -> WireGuard -> Settings → Enable
# Tunnels → Add Tunnel
#* Name: RoadWarrior
#* Listen Port: 51820
#* Interface Keys: Generate key pair
# Save
# Assign interface — Interfaces -> Assignments → add wg0 as OPTx
# Enable interface, set static IP: 10.200.200.1/24
# Peers → Add Peer
#* Tunnel: RoadWarrior
#* Public Key: [client's public key]
#* Allowed IPs: 10.200.200.2/32
#* Endpoint: [blank for roaming clients]
# Firewall -> Rules -> WireGuard interface → Allow All
# Firewall -> Rules -> LAN → Allow from WireGuard net
# Firewall -> NAT -> Outbound → Manual → Add rule for WireGuard net → WAN

'''Client config (phone/laptop):'''
* Install WireGuard app
* Create tunnel, scan QR code or paste config
* Peer: [server public key], Endpoint: your-public-ip:51820
* Allowed IPs: 0.0.0.0/0 (full tunnel) or 192.168.1.0/24 (split tunnel)

'''Opening the port:'''
# Firewall -> Rules -> WAN
# Add rule: Protocol UDP, Port 51820, Source Any, Destination WAN Address

== Module 6: Backup and Maintenance ==
=== Monthly Checklist ===
* [ ] System -> Update: Check for updates
* [ ] Diagnostics -> Backup & Restore: Download config backup
* [ ] Check Dashboard for interface errors, high CPU, or memory usage
* [ ] Review Firewall logs for blocked suspicious traffic
* [ ] Verify VPN clients can still connect

=== Yearly Checklist ===
* [ ] Rotate WireGuard keys
* [ ] Review all port forwards — remove unused ones
* [ ] Check certificate expiry (if using ACME/Let's Encrypt)
* [ ] Audit user accounts and passwords
* [ ] Test restore from backup on a spare VM

== Troubleshooting Common Problems ==
{| class="wikitable"
! Problem !! Likely Cause !! Fix
|-
| No Internet after install || WAN not getting IP || Check cable; set WAN to DHCP or PPPoE
|-
| Can't access web GUI || Wrong IP; HTTPS blocked || Try http://192.168.1.1; check laptop IP
|-
| Port forward not working || ISP CGNAT || Check WAN IP vs public IP; use VPN instead
|-
| VPN connects but no LAN access || Missing firewall/NAT rule || Add allow rule on WireGuard iface; add outbound NAT
|-
| Slow Internet || Hardware too weak || Check CPU usage; upgrade NIC or whole box
|-
| Can't reach some websites || DNS issue || Use 1.1.1.1 or 8.8.8.8 in DNS Resolver forwarders
|}

== Build Your Own Firewall — Capstone Exercise ==
'''Scenario:''' You have an old Dell OptiPlex, a 2-port Intel NIC, and a home fiber connection.

'''Requirements:'''
# Install pfSense CE
# Configure WAN (DHCP) and LAN (static 10.47.83.1/24)
# Set admin password
# Enable DNS Resolver with forwarding to Cloudflare (1.1.1.1)
# Create firewall rules: allow DNS, HTTPS, NTP outbound only
# Set up WireGuard for 2 devices (phone + laptop)
# Forward port 32400 to a Plex server at 10.47.83.50
# Enable AutoConfigBackup (or manual monthly backups)
# Document everything in a simple runbook

'''Success criteria:'''
* Family can browse web normally
* You can VPN in from outside and access LAN resources
* Plex is accessible remotely
* Configuration is backed up

== Next Steps ==
Once comfortable with this module, advance to the full '''FUND001 curriculum''':
# [[Training: pfSense Introduction]] — Phase 1, Day 1
# [[Training Lab 1: Introduction and Backup Restore]] — Hands-on lab

Or explore specialized topics:
* [[Training: pfSense Services]] — DHCP, DNS, Dynamic DNS deep dive
* [[Training: Multi-WAN]] — Add a backup ISP connection
* [[Networking PfSense Index]] — All Comfac networking resources

----
''This module was created for Comfac IT practical training. Built on real-world frequency of problems encountered from personal to small-business networks.''

Training: Setting Up a Firewall for Yourself - Revision history

Justinaquino: Create Introduction Training Module 0 - personal/small business firewall setup