Craig's pfSense Page

A long time user of FreeBSD, a pfSense firewall appliance was a natural choice for me to protect my home network. I bought a SG-1100 netgate.com and spent a bit of time learning pfSense. Here are some of my notes.

References

PF Filter

I use OpenBSD PF firewall on all of my FreeBSD systems which is another reason I decided to try pfSense. One thing I always try to do is log all blocked packets. with pfSense I try to remember to check the log checkbox when adding block or reject rules. But I also needed to go to Status / System Logs / Settings and check "Log firewall default blocks".

Speaking of logs you can't run "tail -F" when you're logged into the pfsense box because the logs use a circular format; instead use "clog -f".

Dynamic DNS

It was pretty easy to get RFC2136 Dynamic DNS working. Here's what I used to generate the TSIG key:

tsig-keygen -a hmac-sha512 ddns-myhost.example.org.

IPv6 Configuration

The pfSense GUI doesn't map directly to the dhcp6c configuration I had been running on my FreeBSD system so it took a few tries to work out a config that received a IPv6 address. One thing I burned a lot of time on is that apparently the ISP side assumes if you present the same DUID you are using the same options. I found that removing /var/db/dhcp6c_uid after making changes on the pfsense box allowed my changes to have an impact on observed behaviour.

IPv6 NAT

IPv4 NAT pretty much worked from the beginning. But although it is discouraged for some reason I've always used NAT for IPv6 as well. The documentation might lead you to believe you cannot do it with pfSense:

https://docs.netgate.com/pfsense/en/latest/book/network/ipv6-nat.html

Gone is the traditional type of ugly port translated NAT (PAT) where internal addresses are translated using ports on a single external IP address. It is replaced by a straight network address translation called Network Prefix Translation (NPt).

It took awhile but I figured out how to make it work via the GUI. I create a mapping under Firewall / NAT / Outbound:

A side effect of this setup is that when you do an IPv6 traceroute out to the internet from the inside network, the first hop is ISP gear while an IPv4 traceroute shows the pfSense box as the first hop.

IPv6 NAT

When I logged into the pfSense box to look around I noticed some kernel messages about licensing for ipw_monitor, ipw_ibss, ipw_bss, and wpi. To quiet these I added the follow to /boot/loader.conf.local:

legal.intel_wpi.license_ack=1
legal.intel_ipw.license_ack=1

Copyright © 2019
Craig Leres