A long time user of FreeBSD, a pfSense firewall appliance was a natural choice for me to protect my home network. I bought a SG-1100 netgate.com and spent a bit of time learning pfSense. Here are some of my notes.
I use OpenBSD PF firewall on all of my FreeBSD systems which is another reason I decided to try pfSense. One thing I always try to do is log all blocked packets. with pfSense I try to remember to check the log checkbox when adding block or reject rules. But I also needed to go to Status / System Logs / Settings and check "Log firewall default blocks".
Speaking of logs you can't run "tail -F" when you're logged into the pfsense box because the logs use a circular format; instead use "clog -f".
It was pretty easy to get RFC2136 Dynamic DNS working. Here's what I used to generate the TSIG key:
tsig-keygen -a hmac-sha512 ddns-myhost.example.org.
The pfSense GUI doesn't map directly to the dhcp6c configuration I had been running on my FreeBSD system so it took a few tries to work out a config that received a IPv6 address. One thing I burned a lot of time on is that apparently the ISP side assumes if you present the same DUID you are using the same options. I found that removing /var/db/dhcp6c_uid after making changes on the pfsense box allowed my changes to have an impact on observed behaviour.
IPv4 NAT pretty much worked from the beginning. But although it is discouraged for some reason I've always used NAT for IPv6 as well. The documentation might lead you to believe you cannot do it with pfSense:
https://docs.netgate.com/pfsense/en/latest/book/network/ipv6-nat.htmlGone is the traditional type of ugly port translated NAT (PAT) where internal addresses are translated using ports on a single external IP address. It is replaced by a straight network address translation called Network Prefix Translation (NPt).
It took awhile but I figured out how to make NATv6 work via the GUI. I created a mapping under Firewall / NAT / Outbound:
A side effect of this setup is that when you do an IPv6 traceroute out to the internet from the inside network, the first hop is ISP gear while an IPv4 traceroute shows the pfSense box as the first hop.
When I logged into the pfSense box to look around I noticed some system.log kernel messages about licensing. To quiet these I added the follow to /boot/loader.conf.local:
legal.intel_ipw.license_ack=1 legal.intel_iwi.license_ack=1 legal.intel_wpi.license_ack=1
The The FreeBSD man pages for ipw(4), iwi(4), and iwifw(4) document these.
Copyright © 2019, 2020
Craig Leres