Skip to content

pfSense Firewall

pfSense logo

Overview

Field Value
Host pfsense
Proxmox VM ID 110
Boundary role Active perimeter firewall and router
Redacted source config.redacted.xml at the repo root

The pfSense VM is the current network boundary. It controls WAN failover, LAN and DMZ segmentation, DNS redirection, proxy redirection, and VPN ingress.

Purpose

pfSense provides routing, stateful firewall policy, DHCP, NAT, WAN failover, WireGuard access, and remote logging. Its service owner is IT Operations and its criticality is Critical.

Architecture

Host Attachment

On Proxmox, the VM is attached to three bridges:

  • vmbr0
  • vmbr1
  • vmbr2

The redacted pfSense config maps these to the firewall interfaces below.

Interface Map

pfSense interface Device IPv4 Role Notes
wan vtnet1 10.0.0.2/24 WAN1 Default gateway WAN1GW
opt1 vtnet2 192.168.1.2/24 WAN2 Default gateway WAN2GW
lan vtnet0 192.168.100.1/24 LAN Client/admin network
opt2 vtnet0.2 192.168.2.1/24 DMZ VLAN tag 2 on vtnet0

Addressing

Segment CIDR Gateway Notes
WAN1 10.0.0.0/24 10.0.0.1 Primary WAN gateway
WAN2 192.168.1.0/24 192.168.1.1 Secondary WAN gateway
LAN 192.168.100.0/24 192.168.100.1 Workstations and admin hosts
DMZ 192.168.2.0/24 192.168.2.1 Proxmox, Docker, Pi-hole, and published services

Gateway and Failover

Item Value
Default IPv4 gateway WANFailOver
Members WAN1GW, WAN2GW
Trigger downlosslatency

The configuration uses a gateway group so WAN traffic can fail over between the two upstream circuits.

DNS and Name Resolution

The live client DNS path is:

  1. Clients query Pi-hole at 192.168.2.2
  2. pfSense enforces DNS interception on the LAN side
  3. PfSense itself also has resolver configuration, but client traffic is intentionally steered to Pi-hole

Verified DNS-related configuration:

  • unbound is configured with ACL support
  • dnsmasq is configured on port 53000
  • LAN DHCP hands out 192.168.2.2 as the DNS server
  • A firewall/NAT rule redirects DNS traffic to Pi-hole on the LAN side
  • Direct DNS traffic to pfSense itself is blocked on the LAN side

DHCP

Interface DHCP range DNS handed out Notes
LAN 192.168.100.201-192.168.100.249 192.168.2.2 Workstation/admin pool
DMZ 192.168.2.100-192.168.2.200 Not explicitly set in the export DMZ pool

NAT and Proxying

Rule Source Destination Target Notes
Outbound NAT for WireGuard 172.16.16.0/24 any WAN IP Hybrid outbound NAT includes the WireGuard subnet
DNS redirect LAN clients DNS traffic Pi-hole 192.168.2.2 DNS interception to the internal resolver
HTTP/HTTPS redirect LAN clients external HTTP/HTTPS Squid 192.168.2.60:3129 Transparent proxy redirection

The export shows hybrid outbound NAT and a transparent proxy rule that redirects HTTP and HTTPS traffic to the Squid host.

Firewall Policy Summary

Interface Notable rules
WAN WireGuard ingress allowed on UDP 51420
LAN Default allow rule exists; additional alias-based rules allow admin and service access
DMZ An allow-all rule exists for the DMZ interface
WireGuard ACL entries exist for 172.16.16.0/24 in Unbound

Alias-driven rules visible in the export include:

  • AdminPCs
  • WANPCs
  • ClientDMZ
  • SPStack
  • PiHole
  • DNSPorts
  • kh3websiteteam
  • http_s

VPN and Remote Access

Item Status Notes
WireGuard Configured and enabled Startup is enforced with an early shell command
OpenVPN No active server/client configuration visible Empty section in the export
IPsec Present as a client container only No active site-to-site definitions were visible in the redacted export

The WireGuard package is configured to start on boot, and pfSense has an Unbound ACL for the WireGuard subnet 172.16.16.0/24.

Logging and Monitoring

Item Value Notes
Remote syslog destination 192.168.2.20:5140 Docker host proxy receives logs
ntopng Present Menu and service entries exist
BandwidthD Present Menu and service entries exist

Aliases

Alias Type Purpose
AdminPCs host Workstations used for admin tasks
ClientDMZ host DMZ client/server addresses
DNSPorts port DNS and DNS-over-TLS related ports
kh3websiteteam host Website collaboration access group
SPStack host SharePoint-related host group
WANPCs host Host group on WAN-side networks
PiHole host Pi-hole host at 192.168.2.2
http_s port HTTP and HTTPS ports

Configuration

Where To Edit

  • Live export source: dated raw export in restricted storage outside this repository
  • Shareable redacted export: config.redacted.xml
  • Redaction helper: scripts/redact_pfsense_config.py

Operational Procedures

  • Export the current configuration before every change.
  • Change one alias, rule, interface, or NAT entry at a time.
  • Check gateway health, DNS, a LAN client, a DMZ service, and WireGuard after changes.
  • Use the backup and restore runbook for rollback.

Troubleshooting

  • WAN outage: check gateway state and the WANFailOver group.
  • LAN DNS failure: check DHCP DNS, Pi-hole reachability, and DNS redirect rules.
  • Published service failure: check NAT/firewall path, then Traefik.
  • VPN failure: check UDP 51420, peer state, and outbound NAT.

Configuration Gaps

  • WAN provider names and circuit ownership
  • Whether WAN2 is a permanent failover path or a temporary backup circuit
  • Whether Squid is still intended as a transparent proxy for all LAN HTTP/HTTPS traffic
  • Whether the current DMZ policy should remain permissive or be tightened

References

  • Repository root config.redacted.xml