In this Hangout & Hack, we'll review PfSense, open source software which serves as an excellent home or small office perimeter firewall. It provides all the features needed for self-hosting various bitcoin-related applications/services and exposing those services to trusted clients or the broader Internet.
When the time comes, click the following button to be taken directly to our Discord:
In this Hangout & Hack, we'll cover the following commonly used features of PFSense.
PFSense support VLANs which are a way to isolate Layer-2 broadcast domains on a switched network. This way your network can carry traffic isolated to certain LANs.
DHCP Reservations allow you to create a one-to-one mapping between a physical MAC (ethernet) address to a specific IP address. It is common to create DHCP reservations for your Bitcoin full node or web servers sitting on a DMZ in your network.
The alternative to DHCP is static address assignment.
Domain Name Server (DNS)
PFSense can provide DNS services (UDP or TLS) to local clients for internal domains. You can override DNS entries to ensure clients resolve to the correct internal IP address. All unknown entries resolve to your recursive DNS servers (DNS over TLS).
DNS over TLS
For recursive queries (i.e., if the local DNS Server cannot resolve locally), requests are sent to upstream DNS resolvers. PFSense allows you to configure DNS over TLS, which has better security and privacy properties than traditional UDP-based DNS.
Choosing your upstream servers is worth consideration. Consider choosing DNS servers that filter out adult content, trackers, and malware. This eliminates known-bad domain names. You can still access websites by running a VPN client on your device, or overriding DNS settings on the host.
Dynamic DNS allows a service to update a remote DNS record using a shared secret. PFSense can perform DDNS on your public IP address such that whenever you PFSense receives a new IP address from the upstream server.
Wireguard allows you to create fast encrypted tunnels between two endpoints. In general, your OUTSIDE interface of the PFSense firewall will accept UDP traffic on a port (e.g., 51820). Very simple public key agreement (Diffie Hellman) between endpoints provides basis for authentication and encryption.
Check out the following Lightning-only VPN service. You pay a lightning invoice, then you scan a QR code that represents your Wireguard profile to them. Simple! Make sure you're using the Wireguard app from F-DROID.
The firewall functionality defines your network policy: what traffic can go where. Typically you have a series of "zones" or "DMZs" with varying levels of trust: e.g, MANAGEMENT (most trusted), NODES Zone, SERVERS Zone, WIRELESS Zone, OUTSIDE (least trusted).
Aliases allow you to create named groups of one or more IP addresses, Networks (CIDRs), Ports, or URLs. These named groups can then be referenced by firewall rules. This results in simplified management of firewall rules.
NAT allows you to translate incoming traffic on one interface (typically OUTSIDE) and direct it to a host one a different ZONE (DMZ).
Traffic policy rules are enforced on all packets entering an interface. Unless explicitly allowed, all traffic is blocked. Reference your Aliases rather than specifying IP addresses or CIDR blocks.
Want to show your support for Old City Bitcoiners? Consider donating today! All donations go to our monthly crowdfunding goals.