Firewall deployment documentation

pfSense
Edge Firewall

Deployment notes for replacing ISP gateway routing with pfSense and building the network foundation for InfraSynth Labs.

Objective

Deploy pfSense as the primary edge firewall and router for the lab network.

Deployment Goal

The goal of this deployment was to move routing and firewall control away from the ISP gateway and onto pfSense. This creates a stronger foundation for future VLANs, firewall rules, VPNs, monitoring, public service isolation, and lab documentation.

Deployed Firewall Routing DHCP DNS NAT

Current State

pfSense Online
WAN Active
LAN DHCP Active
DNS Resolver Active

Topology

The initial firewall deployment keeps the network simple while the foundation is verified.

Current Network Path

Internet
   │
Fiber ONT
   │
pfSense Firewall
   │
Lab Network
   │
Clients / Server Hardware

Planned Network Path

Internet
   │
Fiber ONT
   │
pfSense Firewall
   │
Cisco Catalyst 3750G
   │
├── Admin Workstation
├── Proxmox Host
├── Lab Clients
├── Future Wi-Fi AP
└── Future Server / Services

Design Choice

pfSense remains the primary router and firewall. The Cisco switch will be introduced later as the managed core switch, not as the internet edge device.

Configuration Summary

Current pfSense configuration is focused on stable WAN access and a working LAN foundation.

Area Configuration Status
WAN DHCP-delivered static public IP from ISP Active
LAN Private internal lab network Active
DHCP Server Handled by pfSense on the LAN side Active
DNS pfSense DNS Resolver used as internal DNS foundation Active
NAT Automatic outbound NAT during foundation phase Active
Firewall Rules Basic LAN outbound access during initial setup Active
VLANs Not yet configured Planned
Monitoring Not yet configured Planned

WAN Configuration

The ISP provides a static public IP through DHCP reservation, not manual static entry.

Important WAN Detail

The WAN interface should use DHCP because the ISP assigns the static public IP through a DHCP reservation. The public address is static from the ISP side, but pfSense still receives it through DHCP.

WAN IPv4 Configuration Type: DHCP
Static IP Delivery Method: ISP DHCP Reservation
Manual Static WAN Entry: Not Used
Correct Method DHCP WAN Static Reservation

Do Not Publish

Public IP Redacted
Gateway Redacted
MAC Address Redacted
ISP Details Redacted

LAN Foundation

pfSense currently provides the internal network foundation for lab devices.

Gateway

pfSense acts as the default gateway for the internal lab network. Internal clients use the firewall for outbound access.

Active Gateway

DHCP

pfSense provides DHCP on the LAN side. This allows clients to receive internal addresses, gateway information, and DNS automatically.

Active DHCP

DNS

pfSense DNS Resolver is used as the DNS foundation. This will later support internal hostnames and lab naming.

Active DNS Resolver

Firewall Rules

The current firewall policy is simple while the base network is being stabilized.

Foundation Phase Policy

During the foundation phase, the LAN is allowed outbound internet access through pfSense. This is useful while hardware, DNS, DHCP, and switching are still being introduced.

Later phases will move toward least-privilege firewall rules once VLANs and public service isolation are added.

LAN Outbound Automatic NAT Future Segmentation

Future Rule Areas

Management Access Planned
Server VLAN Planned
Guest Network Planned
DMZ Services Planned

Security Notes

The firewall is the most sensitive part of the lab and should remain protected.

Management Safety

pfSense management should remain internal only. The web interface, SSH, and other administrative services should not be exposed directly to the public internet.

No Public Admin Internal Management Least Privilege Later Sanitized Documentation

Public Docs Rules

WAN IP Redact
Firewall Screenshots Sanitize
Serials / MACs Remove
Credentials Never

Issues Encountered

Initial deployment included WAN and gateway behavior that required troubleshooting.

Gateway / WAN Behavior

During initial setup, pfSense received the ISP-assigned public address but gateway status and external connectivity did not behave correctly at first.

The key discovery was that the static public IP is delivered through DHCP reservation. Once the WAN configuration matched the ISP delivery method and the firewall was rebooted, connectivity returned.

Resolved WAN Gateway DHCP Static
Read WAN troubleshooting log →

Lessons

Static IP Can use DHCP
Gateway Status Separate check
Interface Mapping Verify
Reboot State Can matter

Future Work

pfSense will become the control point for future segmentation and public service isolation.

VLANs

Add VLAN interfaces on pfSense once the Cisco switch baseline is configured and tested.

Planned Segmentation

Firewall Policy

Replace broad foundation-phase access with clearer least-privilege rules between networks.

Planned Rules

Monitoring

Add visibility for WAN uptime, gateway status, logs, blocked traffic, and service health.

Planned Logging

VPN

Future remote access should use a controlled VPN instead of exposing management panels.

Planned Remote Access

Public Services

Public services should be isolated away from personal devices and management interfaces.

Planned DMZ

Backups

Export and store sanitized configuration backups after stable milestone changes.

Planned Config Backup