Pfsense Scenario Questions Lvl3 Flashcards
(19 cards)
Suppose you have multiple client machines connected to pfSense through the LAN interface, and you want them to have internet access. However, you also want to block access to websites like YouTube and Facebook. What are some methods or tools within pfSense that can help you achieve this kind of web filtering?
You can use DNS blacklists, firewall alias rules to block specific IPs or domains, or install a proxy service like Squid and enable URL filtering or blacklists to prevent access to specific websites.
In VMware, there’s an option to use either Host-only or Bridged networking for your virtual machines. Can you explain the difference between these two, and in what scenarios you would assign one to pfSense’s LAN interface and the other to its WAN interface?
Host-only networking isolates the VM from the external network and only allows communication with the host and other host-only VMs—ideal for LAN setups. Bridged networking connects the VM directly to the physical network, making it behave like a physical device—ideal for the WAN side if you want pfSense to get a real IP from your network.
If you want to increase security on your pfSense firewall, and only allow certain external IP addresses (like your work or home IP) to connect to services on the WAN interface (for example, a VPN or web server), how would you configure pfSense to only allow those specific IP addresses and deny all others?
You would go to the Firewall > Rules > WAN tab and add a rule that allows only the IP addresses you want under the Source field. Then, place a “block all” rule below it to deny any other source trying to access your WAN services.
Let’s say pfSense has two different LAN interfaces—one for staff computers and one for servers. How can you make sure devices from the staff LAN can reach the servers on the other LAN interface while still controlling what traffic is allowed between them?
You need to go to Interfaces > Assign and assign both LAN interfaces with different IP subnets. Then, go to Firewall > Rules and create rules on both LAN interfaces that allow (or restrict) traffic between those two networks, based on IP or port.
You just installed pfSense and connected a client computer to its LAN interface. What type of rule do you need to create on the LAN interface in pfSense to allow this client to access the internet through the WAN side?
Go to Firewall > Rules > LAN and add a rule that allows any protocol from any source (LAN net) to any destination. This rule lets your client device send traffic to the internet through pfSense.
If you accidentally leave both the VMware DHCP service and the pfSense DHCP service enabled on the same LAN network (e.g., VMnet2), what kind of problems could you run into with your virtual machines or client PCs?
You may get IP address conflicts or inconsistent connectivity, because both servers might respond to DHCP requests. This can confuse clients or cause them to receive an IP from the wrong server. You should only have one active DHCP server per network.
You are hosting a web server inside your LAN network on pfSense, and you want people on the internet to be able to reach it by typing your public IP. What steps would you follow in pfSense to make this possible, and what settings are important?
Go to Firewall > NAT > Port Forward and forward the external port (e.g., 80) to the LAN IP of your web server. Make sure to check “Add associated firewall rule” so that WAN traffic is allowed to that port.
When configuring the WAN interface of pfSense, you’re asked to set up a gateway. What is a gateway in this context, and what happens if you forget to configure a gateway for the WAN?
A gateway is the IP address of the next device (like VMware NAT or a physical router) that pfSense sends traffic to for reaching the internet. Without a configured gateway, pfSense won’t be able to send packets to the internet from its WAN side.
You want to allow remote workers to securely access your pfSense LAN from their homes or laptops using a VPN. What steps must you follow to set up a remote-access VPN server (such as OpenVPN) on pfSense?
First, install and configure the OpenVPN package. Generate certificates using the built-in CA. Create a server configuration under VPN > OpenVPN. Set firewall rules to allow VPN traffic on the WAN. Then export a client configuration for users to connect remotely.
Your organization needs each department to be in its own subnet (e.g., HR = 192.168.10.0/24, IT = 192.168.20.0/24), but you only have one physical LAN interface on pfSense. How can you achieve this using VLANs, and what steps must be taken in both pfSense and your managed switch?
Configure VLAN interfaces in pfSense under Interfaces > Assignments > VLANs, assign each VLAN to a virtual interface, and create firewall rules for isolation. On the managed switch, tag the port connected to pfSense with all VLANs and untag access ports for each department.
After setting up OpenVPN on pfSense, remote clients can connect but can’t access internal LAN resources. What settings should you check to fix this issue?
Verify that “Redirect Gateway” or proper routes are enabled in OpenVPN server settings, check that local networks are defined in the configuration, ensure LAN firewall rules allow OpenVPN traffic, and confirm the OpenVPN interface has rules allowing traffic to the LAN subnet.
You want to block internet access from 10 PM to 6 AM for IPs in the range 192.168.50.100–200. How can you set up this time-based restriction in pfSense?
Create an alias for the IP range, then define a firewall rule blocking access from that alias to any destination. Use a schedule (Firewall > Schedules) set to 10 PM–6 AM, and apply it to the rule.
LAN clients report slow internet. You suspect DNS issues. How can you confirm this using pfSense’s diagnostic tools?
Use Diagnostics > DNS Lookup to test resolution, and compare it with pinging external IPs. If IPs work but domain names don’t, the issue is likely DNS-related. Also check System > General Setup for DNS servers and verify if the DNS Resolver is running.
You want to set up dual-WAN failover in pfSense. How do you configure pfSense to automatically switch to a backup ISP when the main one fails?
Set up both WAN interfaces, create a gateway group with tiered priorities (System > Routing > Gateway Groups), assign it to LAN rules, and enable gateway monitoring. pfSense will route traffic via the backup if the primary fails.
A user can ping 8.8.8.8 but not google.com. What does this indicate, and how do you fix it in pfSense?
This suggests a DNS issue. Check if DNS Resolver or Forwarder is enabled, verify DNS servers in System > General Setup, and ensure firewall rules allow DNS (port 53) to the resolver or external servers.
You’re setting up a guest Wi-Fi network. How do you isolate guest users from your internal LAN, log their activity, and apply bandwidth limits in pfSense?
Create a separate interface (e.g., OPT1), assign it a new subnet, enable Captive Portal on that interface, and use firewall rules to block access to LAN. Use RADIUS or local portal for logging, and enable per-user bandwidth limits in Captive Portal settings.
VoIP calls have poor quality on your network. How do you configure pfSense to prioritize VoIP traffic?
Use the Traffic Shaper Wizard under Firewall > Traffic Shaper to create queues and rules for SIP/RTP traffic. Assign high priority to VoIP ports (5060/UDP, 10000-20000/UDP), and apply rules to match source/destination IPs or ports.
pfSense’s web GUI is accessible on the WAN. Why is this dangerous, and how do you fix it while still allowing secure remote access?
a security risk due to potential brute-force or exploit attacks. Disable WAN access to the web interface in System > Advanced > Admin Access. Use VPN for remote access, or restrict WAN access with strict firewall rules and allow only trusted IPs.
You want to set up a second pfSense to automatically take over if the first fails. What pfSense feature allows this, and how is it configured?
Use CARP (Common Address Redundancy Protocol) to create virtual IPs shared by two pfSense devices. Synchronize settings using XMLRPC sync, ensure identical interfaces, and use heartbeat on dedicated interfaces for state syncing.
