Meshabay Security Hub

How to Configure pfSense for Small Business: VLANs, DHCP, Firewall Rules, IDS, and OpenVPN (Step-by-Step Guide 2025)

pfSense is a robust and flexible open-source firewall/router well suited to small businesses. However, many administrators struggle when they first try to configure pfSense correctly. The most common mistakes I see are: (1) no network segmentation, (2) overly permissive firewall rules, (3) weak remote access, and (4) no intrusion detection. The best practice is a layered, simple configuration: create VLANs for separation, give each VLAN its own DHCP scope, enforce explicit allow rules only, deploy an IDS/IPS, and provide remote access only through a properly configured OpenVPN server. This guide will walk you through how to configure pfSense step by step, with practical examples and security notes.

Prerequisites & Assumptions

Before you configure pfSense, ensure you have:

  • pfSense installed (on dedicated hardware, VM, or appliance). This guide assumes pfSense CE 2.4+ / 2.5+ / 2.6+.
  • A managed switch with 802.1Q VLAN tagging (e.g., UniFi, Cisco SG, Netgear ProSAFE).
  • A single WAN link and one physical LAN interface on the pfSense box.
  • Basic familiarity with IP addressing and the pfSense webGUI.

Always back up your existing configuration (System → Backup & Restore) before starting to configure pfSense.

Recommended IP Plan

  • WAN: DHCP or static from ISP
  • LAN (management): 192.168.1.0/24 — pfSense LAN IP 192.168.1.1
  • VLAN 10 (Guest): 192.168.10.0/24 — gateway 192.168.10.1
  • VLAN 20 (IoT): 192.168.20.0/24 — gateway 192.168.20.1
  • VLAN 30 (Staff): 192.168.30.0/24 — gateway 192.168.30.1

Step 0 — Backup & Prepare

  1. Log into pfSense webGUI (https://<pfsense-ip>/).
  2. Go to Diagnostics → Backup & Restore → Download Configuration.
  3. Save securely.
  4. Ensure you have console access in case of networking mistakes.

Step 1 — Create VLANs in pfSense

When you configure pfSense for segmentation, VLANs are the foundation.

  • Go to Interfaces → Assignments → VLANs → + Add.
  • Select Parent Interface (e.g., igb1).
  • Add VLAN 10 (Guest), VLAN 20 (IoT), VLAN 30 (Staff).
  • Save.

Also configure VLANs on your managed switch (trunk and access ports).

Step 2 — Assign VLAN Interfaces in pfSense

  • Interfaces → Assignments → Add VLANs.
  • Configure OPT1 = Guest, OPT2 = IoT, OPT3 = Staff.
  • Assign static IPv4 addresses:
    • Guest: 192.168.10.1/24
    • IoT: 192.168.20.1/24
    • Staff: 192.168.30.1/24

Save and Apply.

Step 3 — Configure DHCP Servers Per VLAN

  • Services → DHCP Server → Guest: Enable, range 192.168.10.100–200.
  • IoT: Enable, range 192.168.20.100–200.
  • Staff: Either static or DHCP, range 192.168.30.100–200.

Step 4 — Firewall Rules: Secure pfSense Traffic

One of the most critical steps when you configure pfSense is firewall rule design. By default, pfSense blocks inbound traffic, but outbound rules must be defined.

  • Staff (VLAN30): Allow full outbound (with optional internal service rules).
  • Guest (VLAN10): Allow only DNS + HTTP/HTTPS. Block access to Staff.
  • IoT (VLAN20): Strict allow-lists (DNS + vendor cloud services). Block Staff access.

Remember: pfSense processes rules top-to-bottom. Put block rules above broad allow rules.

Step 5 — Outbound NAT & Port Forwarding

  • pfSense uses automatic outbound NAT.
  • Use manual only if required.
  • Avoid exposing admin interfaces — always use VPN instead.

Step 6 — Configure DNS

  • Services → DNS Resolver.
  • Enable on selected interfaces.
  • Use upstream secure DNS providers (Quad9, Cloudflare).

Step 7 — Install & Configure IDS/IPS (Suricata)

  • System → Package Manager → Install Suricata.
  • Services → Suricata → Enable on VLANs.
  • Start in IDS mode (alerts only).
  • After tuning, enable IPS inline blocking if stable.

Step 8 — Configure pfSense OpenVPN for Remote Access

A common mistake is skipping VPNs or misconfiguring them. Always use OpenVPN for remote staff.

  • VPN → OpenVPN → Wizard.
  • Create CA, server certificate, and OpenVPN server.
  • Set Local Network = 192.168.30.0/24 (Staff).
  • Export clients with the Client Export package.
  • Distribute .ovpn configs securely.

Security tip: Use certificate + username + password for stronger authentication.

Step 9 — Harden pfSense Admin Access

  • Change webConfigurator port (e.g., 8443).
  • Require HTTPS (Let’s Encrypt via ACME package recommended).
  • Restrict management access to LAN only.
  • Enable 2FA if possible.

Step 10 — Regular Maintenance

  • Update pfSense monthly.
  • Export Suricata rules and configs before upgrades.
  • Schedule regular backups.

Step 11 — Verification & Testing

After you configure pfSense, always validate:

  • Ping tests (internal + external).
  • Firewall rules (block Guest to Staff).
  • VPN connectivity.
  • IDS/IPS alerts.
  • External port scan.

Common Pitfalls

  • VLANs not passing traffic → check trunk ports.
  • DHCP not working → confirm enabled per interface.
  • Firewall rules misapplied → rules are per-interface.
  • OpenVPN not routing → check Local Network setting.

Security Hardening Checklist

  • Strong admin password & non-default username.
  • Disable unused services (UPnP, Telnet).
  • Use DNS/content filtering on Guest VLAN.
  • Monitor logs & alerts regularly.

Final Notes

If you carefully configure pfSense following this step-by-step guide, your small business gains enterprise-grade security with minimal cost. VLAN segmentation, firewall discipline, IDS/IPS, and VPN access form a layered defense that protects both staff and guest networks. Regular updates and monitoring will keep your deployment resilient into 2025 and beyond.

Also read: How to Set Up OAuth 2.0 for Secure APIs: A Step-by-Step Guide

admin

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *