Skip to content

pfSense Configuration

Overview

pfSense is an open-source firewall and router platform based on FreeBSD. It provides enterprise-grade features including stateful packet filtering, NAT, VPN, traffic shaping, and comprehensive network management capabilities. This makes it ideal for creating isolated, secure lab environments for penetration testing.

Official website: https://www.pfsense.org/

Virtual Environment Only - Not for Production Use

This configuration guide is specifically for virtual lab environments only. Running pfSense virtualized for production or normal daily use is strongly discouraged due to:

  • Instability: Virtual routing can be unstable and may cause network interruptions
  • Boot Order Dependency: pfSense VM must be started before all client VMs, or they will lose network connectivity
  • Performance Issues: Virtual networking adds latency and overhead
  • Limited Hardware Access: Cannot utilize dedicated network hardware or NICs efficiently

For production environments, always install pfSense on bare metal (dedicated physical hardware).

🔌🛠️ Initial Setup - Port Assignment and IP Configuration

Console Configuration

After the initial boot, pfSense will present a console menu.

  1. Assign Interfaces (Option 1)

  2. Assign WAN interface to your external/host network adapter (bridge or NAT)

  3. Assign LAN interface to your internal lab network adapter (LAN Segment)

  4. Set Interface IP Addresses (Option 2)

WAN Interface:

  • Configure via DHCP or set static IP in your host network range (e.g., 192.168.10.10/24)
  • Gateway: Your host network gateway

LAN Interface:

  • Static IP: 10.0.0.1
  • Subnet mask: 24 (255.255.255.0)
  • Enable DHCP server for LAN: Yes

  • DHCP range: 10.0.0.150 to 10.0.0.200

  • Access the web interface at http://10.0.0.1 from any VM on the LAN network

⚙️🔧 Web Interface Configuration

Basic Settings

  1. System > General Setup
    • Hostname: pfsense
    • Domain: lab.local
    • DNS Servers: Add your preferred DNS (e.g., 8.8.8.8, 1.1.1.1)

DNS Configuration

Navigate to Services > DNS Resolver

  1. Enable DNS Resolver

  2. Configure the following settings:

    • Network Interfaces: LAN
    • DHCP Registration: Enable (allows DHCP clients to register in DNS)
    • Static DHCP: Enable (registers static DHCP mappings)

🧱 Firewall Rules

Navigate to Firewall > Rules > LAN

Create rules to control lab traffic. Rule order matters - rules are processed from top to bottom.

Critical Security Rules

Never allow vulnerable systems (Metasploitable, OWASP applications, Windows XP/7) to access the internet! These systems are intentionally vulnerable and should remain completely isolated from external networks.

⚠️ Recommended Rule Configuration:

Rule Action Protocol Source Destination Description
Allow Kali to Internet Pass Any Single host: 10.0.0.100 Any Allow Kali Linux for tool updates
Block LAN to WAN Block Any LAN net WAN net Block vulnerable systems from Internet
Allow LAN to LAN Pass Any LAN net LAN net Allow internal lab communication

Rule Order is Critical

Place the Kali Linux allow rule FIRST, then the block rule, then the LAN-to-LAN rule. The first matching rule wins, so specific exceptions must come before general blocks.

RFC1918 Networks Configuration

Navigate to Interfaces > WAN

If you need connectivity between the host machine and lab VMs:

  • Uncheck "Block private networks and loopback addresses"
  • Uncheck "Block bogon networks"

This allows RFC1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to traverse the WAN interface, enabling communication between your host and the lab environment.

Security Warning

Only disable RFC1918 blocking if your WAN interface is connected to a trusted network (like your host-only adapter). Never disable this on internet-facing interfaces.

🤝 Local DNS Configuration for Web Applications

For hosting multiple web applications on a single IP using domain names, configure DNS Host Overrides and set up a reverse proxy.

Step 1: DNS Host Overrides in pfSense

Navigate to Services > DNS Resolver > Host Overrides

Add the following entries for your vulnerable web applications:

Host Domain IP Address Description
webgoat dojo.lan 10.0.0.50 WebGoat Application
django dojo.lan 10.0.0.50 Django Application
casino dojo.lan 10.0.0.50 Casino Application
shop dojo.lan 10.0.0.50 Juice Shop
cheese dojo.lan 10.0.0.50 Cheese Shop

Save and Apply Changes after adding all entries.

Step 2: Reverse Proxy Configuration on Web Server

On the server hosting your applications (10.0.0.50), configure Apache as a reverse proxy to route requests based on the domain name.

Enable Required Apache Modules

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo systemctl restart apache2

Create Virtual Host Configurations

For each application, create a virtual host configuration file in /etc/apache2/sites-available/.

Example: casino.dojo.lan.conf

<VirtualHost *:80>
    ServerName casino.dojo.lan

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/

    ErrorLog ${APACHE_LOG_DIR}/casino_error.log
    CustomLog ${APACHE_LOG_DIR}/casino_access.log combined
</VirtualHost>

Configuration for Other Applications:

Domain Port Config File
webgoat.dojo.lan 8081 webgoat.dojo.lan.conf
django.dojo.lan 8091 django.dojo.lan.conf
shop.dojo.lan 3008 shop.dojo.lan.conf
cheese.dojo.lan 8008 cheese.dojo.lan.conf

Enable Virtual Hosts

sudo a2ensite casino.dojo.lan.conf
sudo a2ensite webgoat.dojo.lan.conf
sudo a2ensite django.dojo.lan.conf
sudo a2ensite shop.dojo.lan.conf
sudo a2ensite cheese.dojo.lan.conf

sudo systemctl reload apache2

Step 3: Testing Configuration

Test DNS Resolution: 

nslookup casino.dojo.lan
# Should return: 10.0.0.50

Test Web Access:

Open a browser and navigate to http://casino.dojo.lan/. You should see the application running on port 3000, not the default Apache page.

If issues occur, examine the logs: 

tail -f /var/log/apache2/casino_error.log
tail -f /var/log/apache2/casino_access.log

🐛 Common Issues

  • Seeing default Apache page: Ensure the virtual host is enabled and ServerName matches exactly
  • DNS not resolving: Verify Host Overrides are saved and DNS Resolver is running
  • Connection refused: Check that the backend application is running on the specified port

Configuration Summary

Your pfSense lab setup should now include:

  • ✅ WAN and LAN interfaces properly assigned
  • ✅ Static IP addressing for LAN network
  • ✅ DHCP server for automatic client configuration
  • ✅ DNS Resolver for internal name resolution
  • ✅ Firewall rules controlling lab traffic
  • ✅ Local DNS entries for web applications
  • ✅ RFC1918 settings configured for host connectivity

This configuration provides a secure, isolated environment for penetration testing while maintaining necessary connectivity and services.