pfSense Firewall
Overview
| Field | Value |
|---|---|
| Host | pfsense |
| Proxmox VM ID | 110 |
| Boundary role | Active perimeter firewall and router |
| Redacted source | config.redacted.xml at the repo root |
The pfSense VM is the current network boundary. It controls WAN failover, LAN and DMZ segmentation, DNS redirection, proxy redirection, and VPN ingress.
Purpose
pfSense provides routing, stateful firewall policy, DHCP, NAT, WAN failover, WireGuard access, and remote logging. Its service owner is IT Operations and its criticality is Critical.
Architecture
Host Attachment
On Proxmox, the VM is attached to three bridges:
vmbr0vmbr1vmbr2
The redacted pfSense config maps these to the firewall interfaces below.
Interface Map
| pfSense interface | Device | IPv4 | Role | Notes |
|---|---|---|---|---|
wan |
vtnet1 |
10.0.0.2/24 |
WAN1 | Default gateway WAN1GW |
opt1 |
vtnet2 |
192.168.1.2/24 |
WAN2 | Default gateway WAN2GW |
lan |
vtnet0 |
192.168.100.1/24 |
LAN | Client/admin network |
opt2 |
vtnet0.2 |
192.168.2.1/24 |
DMZ | VLAN tag 2 on vtnet0 |
Addressing
| Segment | CIDR | Gateway | Notes |
|---|---|---|---|
| WAN1 | 10.0.0.0/24 |
10.0.0.1 |
Primary WAN gateway |
| WAN2 | 192.168.1.0/24 |
192.168.1.1 |
Secondary WAN gateway |
| LAN | 192.168.100.0/24 |
192.168.100.1 |
Workstations and admin hosts |
| DMZ | 192.168.2.0/24 |
192.168.2.1 |
Proxmox, Docker, Pi-hole, and published services |
Gateway and Failover
| Item | Value |
|---|---|
| Default IPv4 gateway | WANFailOver |
| Members | WAN1GW, WAN2GW |
| Trigger | downlosslatency |
The configuration uses a gateway group so WAN traffic can fail over between the two upstream circuits.
DNS and Name Resolution
The live client DNS path is:
- Clients query Pi-hole at
192.168.2.2 - pfSense enforces DNS interception on the LAN side
- PfSense itself also has resolver configuration, but client traffic is intentionally steered to Pi-hole
Verified DNS-related configuration:
unboundis configured with ACL supportdnsmasqis configured on port53000- LAN DHCP hands out
192.168.2.2as the DNS server - A firewall/NAT rule redirects DNS traffic to Pi-hole on the LAN side
- Direct DNS traffic to pfSense itself is blocked on the LAN side
DHCP
| Interface | DHCP range | DNS handed out | Notes |
|---|---|---|---|
| LAN | 192.168.100.201-192.168.100.249 |
192.168.2.2 |
Workstation/admin pool |
| DMZ | 192.168.2.100-192.168.2.200 |
Not explicitly set in the export | DMZ pool |
NAT and Proxying
| Rule | Source | Destination | Target | Notes |
|---|---|---|---|---|
| Outbound NAT for WireGuard | 172.16.16.0/24 |
any | WAN IP | Hybrid outbound NAT includes the WireGuard subnet |
| DNS redirect | LAN clients | DNS traffic | Pi-hole 192.168.2.2 |
DNS interception to the internal resolver |
| HTTP/HTTPS redirect | LAN clients | external HTTP/HTTPS | Squid 192.168.2.60:3129 |
Transparent proxy redirection |
The export shows hybrid outbound NAT and a transparent proxy rule that redirects HTTP and HTTPS traffic to the Squid host.
Firewall Policy Summary
| Interface | Notable rules |
|---|---|
| WAN | WireGuard ingress allowed on UDP 51420 |
| LAN | Default allow rule exists; additional alias-based rules allow admin and service access |
| DMZ | An allow-all rule exists for the DMZ interface |
| WireGuard | ACL entries exist for 172.16.16.0/24 in Unbound |
Alias-driven rules visible in the export include:
AdminPCsWANPCsClientDMZSPStackPiHoleDNSPortskh3websiteteamhttp_s
VPN and Remote Access
| Item | Status | Notes |
|---|---|---|
| WireGuard | Configured and enabled | Startup is enforced with an early shell command |
| OpenVPN | No active server/client configuration visible | Empty section in the export |
| IPsec | Present as a client container only | No active site-to-site definitions were visible in the redacted export |
The WireGuard package is configured to start on boot, and pfSense has an Unbound ACL for the WireGuard subnet 172.16.16.0/24.
Logging and Monitoring
| Item | Value | Notes |
|---|---|---|
| Remote syslog destination | 192.168.2.20:5140 |
Docker host proxy receives logs |
| ntopng | Present | Menu and service entries exist |
| BandwidthD | Present | Menu and service entries exist |
Aliases
| Alias | Type | Purpose |
|---|---|---|
AdminPCs |
host | Workstations used for admin tasks |
ClientDMZ |
host | DMZ client/server addresses |
DNSPorts |
port | DNS and DNS-over-TLS related ports |
kh3websiteteam |
host | Website collaboration access group |
SPStack |
host | SharePoint-related host group |
WANPCs |
host | Host group on WAN-side networks |
PiHole |
host | Pi-hole host at 192.168.2.2 |
http_s |
port | HTTP and HTTPS ports |
Configuration
Where To Edit
- Live export source: dated raw export in restricted storage outside this repository
- Shareable redacted export:
config.redacted.xml - Redaction helper:
scripts/redact_pfsense_config.py
Operational Procedures
- Export the current configuration before every change.
- Change one alias, rule, interface, or NAT entry at a time.
- Check gateway health, DNS, a LAN client, a DMZ service, and WireGuard after changes.
- Use the backup and restore runbook for rollback.
Troubleshooting
- WAN outage: check gateway state and the
WANFailOvergroup. - LAN DNS failure: check DHCP DNS, Pi-hole reachability, and DNS redirect rules.
- Published service failure: check NAT/firewall path, then Traefik.
- VPN failure: check UDP
51420, peer state, and outbound NAT.
Configuration Gaps
- WAN provider names and circuit ownership
- Whether WAN2 is a permanent failover path or a temporary backup circuit
- Whether Squid is still intended as a transparent proxy for all LAN HTTP/HTTPS traffic
- Whether the current DMZ policy should remain permissive or be tightened
Related Systems
References
- Repository root
config.redacted.xml