Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Step 5: pfSense firewall introduction == So you have a basic idea on how to use '''pfSense''' as a basic router, but we haven’t dealt with '''''port forwarding''''' or messing with the firewall yet. Let’s get into that. Before we move on to making the necessary firewall rules to allow us to receive email, let’s discuss aliases. What makes firewall rules easy to manage are '''aliases.''' <span id="lesson-1-aliases-in-pfsense"></span> === Lesson 1: Aliases in pfSense === <span id="what-are-aliases-in-pfsense"></span> ===== What are Aliases in pfSense? ===== Aliases in '''pfSense''' are placeholders that can represent: * IP addresses * Networks * Ports * URLs For example, instead of having to make a separate NAT & firewall rule to open port 993 for 8.8.8.8, 9.9.9.9, 10.10.10.10, etc., I can make ONE firewall rule and enter the “alias” I created into the field where I would usually put an IP. I’d create an alias for those three IPs. The cool part about this is if I ever want to add or remove one of those IPs, I don’t have to change firewall rules or delete/add firewall rules. I just change my alias. <span id="practical-example"></span> ===== Practical example: ===== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_942c4249.png </gallery> * If you’re using a service like Freshdesk (CRM system): * Freshdesk needs to connect to your mail server * You don’t want to give Freshdesk VPN access * Freshdesk doesn’t have VPN access anyway * Here’s how you can handle this situation: * Add their IPs to your alias * Only those IPs will see your mail server * Everyone else gets blocked before even seeing the service * Using aliases this way means: * Your mail server is invisible to random internet traffic * Only trusted IPs can even attempt connection * Much more secure than opening ports to everyone <blockquote>'''IMPORTANT:''' While port 25 needs to be open to the world for receiving email, other mail-related ports (587, 993, etc.) should only be open to trusted IPs or VPN users.Let’s say I am making firewall rules to allow Freshdesk customer service software to access my email system. Can you imagine making a firewall rule for EACH of these individually </blockquote> Can you imagine having to add all of those IPs as its own separate rule, or having to update them all each time freshdesk’s IPs changed? That would be a nightmare! Aliases allow us to add all of these IP addresses to a single thing called ''“freshdesk IP addresses”'' – then, all we have to do is make a firewall rule with ''“freshdesk IP addresses”'' as the source or destination, rather than a bunch of rules for each individual IP. <span id="benefits-of-using-aliases"></span> ===== Benefits of Using Aliases ===== # '''Simplification''': Instead of entering “192.168.5.3” into a firewall rule, if I make an alias, I can just enter “mailserver”, once I have set up a “mailserver” alias that directs to the mailserver. # '''I can add to it!''' Let’s say I have 1 smart television in my house. I want to block it from going onto the internet to ''anything'' besides a single Netflix IP address, so I add a firewall rule to block it from going online to anything besides the Netflix IP address. Let’s say my family buys 3 more smart TVs… I don’t want to set up a new set of firewall rules each time. Aliases allow me to add '''''multiple IP addresses to a single alias!''''' Instead of having to make 5 new sets of rules, I can keep my existing firewall rules as they are, and simply add the new IP addresses to the alias. # '''Maintainability''': When you need to update multiple firewall rules, you can just update the alias instead of each individual rule. # '''Readability''': Aliases make firewall rules more understandable by using descriptive names instead of raw IP addresses or port numbers. <span id="wtf-openvpn-was-set-up-so-we-dont-open-ports-why-are-we-talking-about-opening-ports"></span> ===== WTF? OpenVPN was set up so we DON’T open ports; why are we talking about opening ports? ===== If you are accessing your mailserver using OpenVPN (AS YOU SHOULD), this doesn’t matter. You will be opening port 25 to the world so you can receive email, but for the rest of the ports, these are ONLY NECESSARY IF YOU WANT CLIENTS WHO ARE NOT CONNECTING TO YOUR VPN TO BE ABLE TO LOG INTO AN EMAIL ACCOUNT AND READ THEIR MAIL AND SEND MAIL ON YOUR MAILSERVER!!! Plus, the self-hosted phone system is going to require we allow some external IPs belonging to our SIP trunking provider (the thing that lets you receive & send calls to other phones outside your house) to access our server anyway, so you might as well learn about aliases now. <span id="how-to-set-up-aliases-in-pfsense"></span> ==== How to Set Up Aliases in pfSense ==== <span id="accessing-the-aliases-page"></span> ===== 5.1.1 Accessing the Aliases Page ===== # Log into the '''pfSense''' web interface. # Navigate to '''Firewall > Aliases'''. # Click '''Add''' <span id="creating-an-alias"></span> ===== 5.1.2 Creating an Alias ===== # In the Name field, enter a descriptive name for your alias (e.g., “WebServers” or “BlockedIPs”). # Select the Type of alias you want to create: #* Host: For single IP addresses #* Network: For subnets #* Port: For port numbers #* URL: For lists of IPs or networks from a URL # In the Description field, enter a brief explanation of the alias’s purpose. Here, I would enter <code>mailserver</code>. # In the Content box, enter the values for your alias: #* For IP aliases: Enter IP addresses, one per line, such as our mailserver at <code>192.168.5.2</code>. <span id="using-aliases-in-firewall-rules"></span> ===== 5.1.3 Using Aliases in Firewall Rules ===== # Go to '''Firewall > NAT'''. # Add a new rule or edit an existing one. # In the source or destination fields, you can now select your alias from the drop-down menu. # For port fields, you can select port aliases. Example rule using aliases: * '''Action''': Pass * '''Interface''': WAN * '''Source''': Any * '''Destination''': WebServers (alias) * '''Destination Port''': WebPorts (alias) This rule allows incoming traffic to the IP addresses defined in the <code>WebServers</code> alias on the ports defined in the <code>WebPorts</code> alias. <span id="using-aliases-for-secure-access"></span> === Using Aliases for Secure Access === If you want external access to your mail server ''without'' requiring VPN, you’ll need to set up aliases for trusted IPs; or open your server to the entire world, which is a poor idea. <span id="lesson-2-setting-up-pfsense-firewall-rules-for-a-mail-server"></span> === Lesson 2: Setting Up pfSense Firewall Rules for a Mail Server === <span id="understanding-nat-vs.-firewall-rules"></span> ===== Understanding NAT vs. Firewall Rules ===== Let’s understand the two types of rules you need to set up in '''pfSense''': <span id="nat-network-address-translation"></span> ===== NAT (Network Address Translation) ===== NAT determines ''where'' traffic goes. Here’s why it matters: * Your network has one public IP that the world sees * But you might have 200+ computers internally * When someone sends you an email, NAT tells the router ''“traffic on port 25 goes to the mail server, port 80 goes to the web server”'' etc. Think of NAT like a restaurant host - they decide which table gets which customers. <span id="firewall-rules"></span> ===== Firewall Rules ===== Firewall rules determine if traffic is ''allowed'' to pass. After NAT directs traffic to a computer, firewall rules decide if it gets through. Think of firewall rules like the bouncer - they decide if you get in at all. <span id="practical-application"></span> ===== Practical Application ===== '''NAT port forward''' is when the router sees an email coming in on port 25 to my spectrum internet address, and sends that email to our mail server on port 25. Once NAT has sent that email to my mailserver on port 25, the '''firewall rule''' is what '''allows''' that traffic to access port 25 on our mailserver. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_1f1b2c6a.png File:lu55028jxdmy_tmp_31037c49.png File:lu55028jxdmy_tmp_8d77cc05.png File:lu55028jxdmy_tmp_54c8a9f1.png File:lu55028jxdmy_tmp_17e7dded.png File:lu55028jxdmy_tmp_cc025f84.png </gallery> <span id="setting-up-mail-server-port-forwarding-so-you-receive-emails"></span> ==== Setting Up Mail Server Port Forwarding so you Receive emails: ==== A “mail client” is a program you use to read & send your email from the mail server (the mailcow machine we are setting up). Examples are k9 mail, Microsoft Outlook, Mozilla Thunderbird, etc., or just using the web interface. If you are going to use the mail server while connected to the VPN, '''''THIS IS THE ONLY RULE YOU NEED TO ADD!''''' This is for '''receiving email.''' This port '''''must''''' be opened to the public. <span id="create-nat-rule"></span> ===== Create NAT Rule ===== # Access '''pfSense''' at <code>https://192.168.5.1</code> # Go to '''Firewall → NAT''' # Under the '''Port Forward''' tab, click '''Add''' # Configure the following: #* '''Interface''': WAN (incoming traffic) #* '''Protocol''': TCP #* '''Source''': Any ''(you can’t predict which mail servers will email you)'' #* '''Destination''': WAN address #* '''Destination Port Range''': 25 #* '''Redirect Target IP''': Your mail server IP (here in our example it’s <code>192.168.5.3</code>) #* '''Redirect Target Port''': 25 #* '''Description''': “Receive Emails” # '''Important''': Check “Add associated filter rule” # Click '''Save''' # Click '''Apply Changes''' '''Critical Note''': Port 25 MUST be open or you’ll never receive email. This is non-negotiable for a mail server. <blockquote>'''NOTE:''' When setting up port forwarding for a mail server, make sure that your ISP isn’t blocking it to stop spam. Yours might. It’s not unheard of with residential internet providers. You are paying for a residential connection, not a business one, and they’ll [https://www.youtube.com/watch?v=izXnCkrfjO0 remind you of it way they can](actually, they’ll do that even when you pay $409.99/mo for the business one). </blockquote> <span id="step-6-add-pfsense-firewall-rules-for-real"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)