pfSense Security Hardening: 12-Block Firewall Configuration

Context

After installing pfSense CE 2.8.1 on the repurposed Sophos SG210, I carried out a structured hardening process in 12 blocks to strengthen the homelab router/firewall. The infrastructure has two pfSense instances: a physical one (pfsense-sophos, Sophos SG210) and a VM mirror (pfsense-vm on PVE-02) — hence the importance of a synchronisation and failover procedure.

The 12 hardening blocks

Blocks 1–5 — Administration hardening

Block 1 — Identity and access

• Changed the default admin account (strong password, stored in Vaultwarden)
• WebUI access (443) restricted to MGMT interface (172.16.10.0/24) only
• WebUI access on WAN disabled

Block 2 — Secure NTP

• Replaced default NTP servers (0.pfsense.pool.ntp.org) with trusted sources
• NTP service restricted to internal VLANs only

Block 3 — Secure DNS (DNS over TLS / HTTPS)

• Configured the DNS resolver (Unbound) with DNS over TLS to trusted resolvers
• DNSSEC validation enabled
• Outbound unencrypted DNS queries blocked

Block 4 — Logging and audit

• Detailed per-rule firewall logs enabled
• Log forwarding to supervision server configured (syslog remote — in progress)
• Local log retention with rotation

Block 5 — Backups

• Full XML configuration export (Diagnostics → Backup menu)
• Documented rapid restore procedure

Blocks 6–11 — Network security and filtering

Block 6 — Firewall rule review

• Full audit of rules per VLAN interface (least-privilege principle)
• Removed overly permissive rules left from initial installation

Block 7 — Residual inter-VLAN filtering

• pfSense retains WAN→LAN filtering and flows the Cisco 3560-CX cannot intercept
• Explicit rules: GUEST and IOT have no access to administration services

Block 8 — Manual outbound NAT

• Switched to manual NAT mode (no automatic NAT)
• Per-VLAN source masquerade rules (outbound masquerade to WAN)

Block 9 — Secure SNMP

• Non-trivial community string (not public / private)
• Source IP restriction: only the Zabbix LXC (VLAN 10 MGMT) is authorised to query SNMP

Block 10 — Security packages

• pfBlockerNG installed and configured (DNS-based ad/malware blocking)
• Suricata / Snort evaluated on WAN interface (IDS/IPS)

Block 11 — Dashboard and reduced exposure

• WebUI dashboard cleaned up (unused widgets removed)
• Unused services disabled (mDNS/Avahi when not required, etc.)

Block 12 — Physical ↔ VM synchronisation and resilience

• Documented failover procedure between pfsense-sophos (physical) and pfsense-vm (PVE-02 VM)
• XML configuration synchronisation between both instances
• Post-failover validation tests (WAN connectivity, firewall rules, DNS)
• Benefit: if the Sophos SG210 fails, the VM takes over in minutes

Result

Hardened firewall according to best practices, with:

• Admin access restricted to VLAN MGMT only
• Full logs for audit and incident detection (Loki via syslog planned)
• Network isolation verified by testing (inter-VLAN pings blocked per Cisco ACL policy)
• Resilience ensured by dual physical/VM instances and documented failover procedure

Skills covered

This project directly covers cybersecurity of a network infrastructure (B3.5), equipment and usage hardening (B3.3), availability and integrity assurance via backups and synchronisation (B3.4), and infrastructure evolution (B2.3).