pfSense Firewall Rules :: Domus Digitalis

1. Overview

pfSense firewall rules implement network segmentation and security policy for the Domus Digitalis infrastructure. Rules follow a zero-trust model with explicit permits and default deny.

2. Architecture

Interface	Subnet	Purpose
WAN	DHCP from ISP	Internet uplink
LAN (INFRA)	10.50.1.0/24	Infrastructure services (ISE, DC, Vault)
OPT1 (DATA)	10.50.10.0/24	Workstations (802.1X authenticated)
OPT2 (MGMT)	10.50.100.0/24	Management network (switches, APs)
OPT3 (GUEST)	10.50.30.0/24	Guest WiFi (internet only)
OPT4 (IOT)	10.50.40.0/24	IoT devices (isolated)

Interface

Subnet

Purpose

WAN

DHCP from ISP

Internet uplink

LAN (INFRA)

10.50.1.0/24

Infrastructure services (ISE, DC, Vault)

OPT1 (DATA)

10.50.10.0/24

Workstations (802.1X authenticated)

OPT2 (MGMT)

10.50.100.0/24

Management network (switches, APs)

OPT3 (GUEST)

10.50.30.0/24

Guest WiFi (internet only)

OPT4 (IOT)

10.50.40.0/24

IoT devices (isolated)

3. Rule Design Principles

Principle	Implementation
Default Deny	All interfaces end with implicit deny
Least Privilege	Only permit explicitly required traffic
Log Denied	Log blocked traffic for security monitoring
Stateful	Return traffic automatically permitted
Anti-Spoofing	Block private IPs on WAN interface

Principle

Implementation

Default Deny

All interfaces end with implicit deny

Least Privilege

Only permit explicitly required traffic

Log Denied

Log blocked traffic for security monitoring

Stateful

Return traffic automatically permitted

Anti-Spoofing

Block private IPs on WAN interface

4. Interface Rules

4.1. WAN Rules

Action	Protocol	Source	Destination	Port
Block	*	RFC1918	*	*
Block	*	Bogon networks	*	*
Pass	TCP	*	WAN address	443 (VPN)
Pass	UDP	*	WAN address	51820 (WireGuard)

Action

Protocol

Source

Destination

Port

Block

*

RFC1918

*

Block

*

Bogon networks

*

Pass

TCP

*

WAN address

443 (VPN)

Pass

UDP

*

WAN address

51820 (WireGuard)

4.2. INFRA (LAN) Rules

Infrastructure VLAN - servers and core services:

Action	Protocol	Source	Destination	Port
Pass	*	INFRA net	*	*
Pass	TCP	DATA net	10.50.1.21	8443
Pass	TCP/UDP	DATA net	10.50.1.50	88, 389, 636, 445
Pass	UDP	*	INFRA address	53
Block	*	*	*	* (implicit)

Action

Protocol

Source

Destination

Port

Pass

*

INFRA net

*

Pass

TCP

DATA net

10.50.1.21

8443

Pass

TCP/UDP

DATA net

10.50.1.50

88, 389, 636, 445

Pass

UDP

*

INFRA address

53

Block

*

* (implicit)

4.3. DATA Rules

Workstation VLAN - 802.1X authenticated devices:

Action	Protocol	Source	Destination	Port
Pass	UDP	DATA net	10.50.1.1	53
Pass	TCP	DATA net	10.50.1.21	8443, 8905
Pass	TCP/UDP	DATA net	10.50.1.50	88, 389, 636, 445
Pass	TCP	DATA net	!RFC1918	80, 443
Pass	TCP	DATA net	!RFC1918	22
Block	*	DATA net	RFC1918	* (block lateral)
Pass	*	DATA net	!RFC1918	*
Block	*	*	*	* (implicit)

Action

Protocol

Source

Destination

Port

Pass

UDP

DATA net

10.50.1.1

53

Pass

TCP

DATA net

10.50.1.21

8443, 8905

Pass

TCP/UDP

DATA net

10.50.1.50

88, 389, 636, 445

Pass

TCP

DATA net

!RFC1918

80, 443

Pass

TCP

DATA net

!RFC1918

22

Block

*

DATA net

RFC1918

* (block lateral)

Pass

*

DATA net

!RFC1918

*

Block

*

* (implicit)

The !RFC1918 destination means "not private networks" - allows internet while blocking internal lateral movement. This mirrors the dACL applied by ISE.

4.4. GUEST Rules

Guest WiFi - internet only, no internal access:

Action	Protocol	Source	Destination	Port
Pass	UDP	GUEST net	GUEST address	53
Pass	UDP	GUEST net	*	123
Block	*	GUEST net	RFC1918	*
Pass	TCP	GUEST net	*	80, 443
Block	*	*	*	* (implicit)

Action

Protocol

Source

Destination

Port

Pass

UDP

GUEST net

GUEST address

53

Pass

UDP

GUEST net

*

123

Block

*

GUEST net

RFC1918

*

Pass

TCP

GUEST net

*

80, 443

Block

*

* (implicit)

4.5. IOT Rules

IoT devices - isolated with minimal access:

Action	Protocol	Source	Destination	Port
Pass	UDP	IOT net	IOT address	53
Pass	UDP	IOT net	*	123
Block	*	IOT net	RFC1918	*
Pass	TCP	IOT net	*	80, 443
Block	*	*	*	* (implicit)

Action

Protocol

Source

Destination

Port

Pass

UDP

IOT net

IOT address

53

Pass

UDP

IOT net

*

123

Block

*

IOT net

RFC1918

*

Pass

TCP

IOT net

*

80, 443

Block

*

* (implicit)

5. NAT Configuration

5.1. Outbound NAT

Automatic outbound NAT for all internal networks to WAN.

5.2. Port Forwards

Description	WAN Port	Destination	Internal Port
WireGuard VPN	51820/UDP	10.50.1.1	51820
ISE Guest Portal (if needed)	8443/TCP	10.50.1.21	8443

6. Aliases

Aliases simplify rule management:

Alias	Contents
`RFC1918`	10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
`ISE_Servers`	10.50.1.20, 10.50.1.21
`AD_Servers`	10.50.1.50
`DNS_Servers`	10.50.1.1, 10.50.1.50
`Web_Ports`	80, 443
`AD_Ports`	88, 389, 636, 445, 3268

7. Monitoring

7.1. View Firewall Logs

Via pfSense GUI:

Status → System Logs → Firewall

Via netapi (if available):

netapi pfsense logs firewall --limit 100

7.2. Common Log Entries

Log Pattern Meaning

Log Pattern	Meaning
`block` + RFC1918 dest	Lateral movement blocked (expected for DATA/GUEST)
`block` + port 445	SMB blocked (expected for non-AD traffic)
`pass` + port 53	DNS query permitted
`block` + WAN in	Inbound scan blocked

block + RFC1918 dest

Lateral movement blocked (expected for DATA/GUEST)

block + port 445

SMB blocked (expected for non-AD traffic)

pass + port 53

DNS query permitted

block + WAN in

Inbound scan blocked

8. Backup and Restore

8.1. Backup via netapi

netapi pfsense backup --upload-nas

8.2. Manual Backup

Diagnostics → Backup & Restore → Download configuration as XML

8.3. Restore

Diagnostics → Backup & Restore → Restore Backup

9. Related Documentation

9.1. ISE dACL Coordination

The pfSense firewall rules and ISE dACLs work together:

pfSense: Enforces segmentation at network edge
ISE dACL: Enforces segmentation at switch port level

Both should have consistent rules. See domus-ise-linux component:

03-ise-config/hardened-dacl.adoc - dACL configuration
03-ise-config/authorization-policy.adoc - Authorization profiles