Configure pfSense

Initial STACKIT setup

Configuration wizard

Configure the wizard with the following settings:

Setting	Value
Hostname	pfSense
Domain	home.arpa
Primary DNS Server	208.67.222.222
Secondary DNS Server	9.9.9.9
Override DNS	Allow
Time server hostname	2.pfsense.pool.ntp.org
Timezone	Europe/Berlin
SelectedType	DHCP
pptplocalsubnet	32
Block RFC1918 Private Networks	Block
LAN IP Address	dhcp
Subnet Mask	24
Admin Password	<Enter a password>
Admin Password AGAIN	<Repeat password>

Remove “Allow all” rule

Removal of the allow all rule form the initial setup. To limit access only to the WebUI.

1. Select Firewall > Rules in the top navigation.
2. Select Add.
3. Set Destination to This firewall (self).
4. Set Destination Port Range From and To to HTTPS (443).
5. Select Apply changes.
6. Select the Bin icon to the remove the Allow all ipv4+ipv6 rule.

If you plan to put your pfSense to production it is best practice to put your WebUI access on a local network. So it is not accessible from the internet.

To do so you should configure a (road worrier) VPN to be able to remotely hang into your VPC network. Which is being allowed to access the WebUI.

Fix DNS resolver rule

If DNS resolving is not working properly you need to take the following actions.

1. Select System > General Setup in the top navigation.
2. Set all DNS Server Gateway to WAN.

Setup VPC environment

Enable outbound NAT

Enable VMs in the VPC Network to communicate over the internet.

1. Select Firewall > NAT > Outbound in the top navigation.
2. Select Hybrid Outbound NAT to enable Hybrid Outbound NAT rule generation.
3. Select Save.
4. Create an Outbound NAT rule by selecting Add with the following settings:

   Setting	Value
   disabled	false
   Do not NAT	false
   Interface	WAN
   Address Family	IPv4
   Protocol	any
   Source	Any
   Destination	Any
   Address	Interface Address

5. Save and Apply.

Now your VPC VMs should be able to communicate over the internet.