Training: Setting Up a Firewall for Yourself

• Home users who want to secure their network
• Small business owners (1–10 employees)
• IT staff new to networking before they tackle enterprise deployments
• Anyone who has never configured a router or firewall before

By the end of this module, you will be able to:

• Explain why a firewall is necessary for homes and small offices
• Install pfSense on an old PC or VM with minimum hardware
• Configure basic WAN and LAN interfaces
• Set up essential firewall rules (allow outgoing, block incoming)
• Configure port forwarding for common services
• Set up a basic WireGuard VPN for remote access
• Back up and update the firewall configuration
• Diagnose common connectivity problems

Most people rely on the "router" provided by their ISP. These devices are:

• Minimally configured — often with default passwords and outdated firmware
• Poorly maintained — ISPs rarely push security updates promptly
• Limited in features — no VPN, no traffic logging, no intrusion detection

Common risks:

• Unauthorized remote access to cameras, NAS, printers
• Malware spreading between family/employee devices
• Cryptojacking, ransomware, botnet participation
• Data exfiltration from poorly secured IoT devices

What a firewall gives you:

• Stateful inspection — only allows return traffic for connections you initiated
• Network segmentation — isolate guests, IoT, and work devices
• VPN access — securely access your home/office network from anywhere
• Logging & visibility — see what devices are doing on your network
• Ad and malware blocking — integrate with DNS blocklists (Pi-hole)

Good sources of cheap hardware:

• Old office desktops (Dell OptiPlex, HP EliteDesk)
• Thin clients with PCIe slot for NIC
• Used 1U servers (noisy but cheap)
• Protectli/Qotom mini-PCs (purpose-built, fanless)

Installation methods:

1. Download pfSense CE ISO from https://www.pfsense.org/downloads
2. Write to USB with Rufus (Windows) or dd (Linux)
3. Boot from USB, install to SSD/HDD
4. Remove USB, reboot
5. Default LAN: 192.168.1.1

1. Connect laptop to LAN port
2. Browse to https://192.168.1.1
3. Log in: admin / pfsense
4. Complete the wizard:
   • General Info — Set hostname (e.g., homefw), domain (local)
   • Time Server — Use default or local NTP
   • WAN — Select DHCP (most home/DSL) or PPPoE (some fiber)
   • LAN — Leave 192.168.1.1/24 or change to obscure subnet (e.g., 10.47.83.1/24)
   • Password — Change from default immediately

Why change from 192.168.1.1? If you later connect via VPN from a coffee shop that also uses 192.168.1.x, your traffic may not route correctly. Using an obscure subnet avoids this.

1. System -> General Setup — Set timezone, language
2. System -> Advanced -> Networking — Disable NAT reflection if not needed
3. System -> Update — Check for updates immediately
4. Diagnostics -> Backup & Restore — Download first config backup

• LAN — Allow all (default)
• WAN — Block all (implicit, not shown)

For a more secure home/small office, replace "LAN allow all" with specific allowed protocols:

How to do it:

1. Firewall -> Rules -> LAN
2. Delete the default "Allow All" rule
3. Add rules for each protocol/port above
4. Add a final "Block" rule at the bottom (with logging enabled)

Note: This breaks some apps/games. For a family home, "Allow All" outbound is usually fine. For a business, restrict outbound.

Steps:

1. Firewall -> NAT -> Port Forward
2. Click Add
3. Interface: WAN
4. Protocol: TCP (or TCP/UDP)
5. Destination: WAN Address
6. Destination Port Range: external port
7. Redirect Target IP: internal server IP
8. Redirect Target Port: internal port
9. Save → Apply

Security tip: Don't forward RDP (3389) or SSH (22) directly. Use a VPN instead.

• One secure tunnel instead of many open ports
• Access your entire network as if you were there
• Works on phones, laptops, tablets
• No need to expose individual services

1. Install WireGuard package — System -> Package Manager -> Available Packages
2. VPN -> WireGuard -> Settings → Enable
3. Tunnels → Add Tunnel
   • Name: RoadWarrior
   • Listen Port: 51820
   • Interface Keys: Generate key pair
4. Save
5. Assign interface — Interfaces -> Assignments → add wg0 as OPTx
6. Enable interface, set static IP: 10.200.200.1/24
7. Peers → Add Peer
   • Tunnel: RoadWarrior
   • Public Key: [client's public key]
   • Allowed IPs: 10.200.200.2/32
   • Endpoint: [blank for roaming clients]
8. Firewall -> Rules -> WireGuard interface → Allow All
9. Firewall -> Rules -> LAN → Allow from WireGuard net
10. Firewall -> NAT -> Outbound → Manual → Add rule for WireGuard net → WAN

Client config (phone/laptop):

• Install WireGuard app
• Create tunnel, scan QR code or paste config
• Peer: [server public key], Endpoint: your-public-ip:51820
• Allowed IPs: 0.0.0.0/0 (full tunnel) or 192.168.1.0/24 (split tunnel)

Opening the port:

1. Firewall -> Rules -> WAN
2. Add rule: Protocol UDP, Port 51820, Source Any, Destination WAN Address

• [ ] System -> Update: Check for updates
• [ ] Diagnostics -> Backup & Restore: Download config backup
• [ ] Check Dashboard for interface errors, high CPU, or memory usage
• [ ] Review Firewall logs for blocked suspicious traffic
• [ ] Verify VPN clients can still connect

• [ ] Rotate WireGuard keys
• [ ] Review all port forwards — remove unused ones
• [ ] Check certificate expiry (if using ACME/Let's Encrypt)
• [ ] Audit user accounts and passwords
• [ ] Test restore from backup on a spare VM

Scenario: You have an old Dell OptiPlex, a 2-port Intel NIC, and a home fiber connection.

Requirements:

1. Install pfSense CE
2. Configure WAN (DHCP) and LAN (static 10.47.83.1/24)
3. Set admin password
4. Enable DNS Resolver with forwarding to Cloudflare (1.1.1.1)
5. Create firewall rules: allow DNS, HTTPS, NTP outbound only
6. Set up WireGuard for 2 devices (phone + laptop)
7. Forward port 32400 to a Plex server at 10.47.83.50
8. Enable AutoConfigBackup (or manual monthly backups)
9. Document everything in a simple runbook

Success criteria:

• Family can browse web normally
• You can VPN in from outside and access LAN resources
• Plex is accessible remotely
• Configuration is backed up

Once comfortable with this module, advance to the full FUND001 curriculum:

1. Training: pfSense Introduction — Phase 1, Day 1
2. Training Lab 1: Introduction and Backup Restore — Hands-on lab

Or explore specialized topics:

• Training: pfSense Services — DHCP, DNS, Dynamic DNS deep dive
• Training: Multi-WAN — Add a backup ISP connection
• Networking PfSense Index — All Comfac networking resources

This module was created for Comfac IT practical training. Built on real-world frequency of problems encountered from personal to small-business networks.