Setting Up Privileged Hosts in pfSense

We follow a whitelisting policy on our network, only allowing hosts through certain ports on the firewall, like 80 for HTTP and 443 for HTTPS. All other ports are blocked between 7am and 3pm. This helps us cut down on unwanted traffic, especially BitTorrent.

However, there are situations where we want to allow a host on the network access to wider range of ports. For example, Skype uses random ports to communicate; it’s not possible to whitelist it (unless you get Layer7 traffic shaping to work, which last I heard was dicey). When our teachers do Mystery Skypes or our director wants to interview prospective candidates they need unrestricted access through the firewall.

To do this, we set up a special IP address that has unlimited access, and assign that IP address to the computer we want using a static DHCP lease. What follows are the steps to do it.

1. Create a firewall rule as follows:

This rule gives a specific IP address in this case, 10.0.1.250)
This rule gives a specific IP address (in this case, 10.0.1.250) unlimited access through the firewall.

2. Move it to the top of your firewall rule list, since pfSense firewall rules are evaluated on a first-match basis.

Screenshot (15)
The rule is listed second here; you should move it to the top.

 

3. Apply your changes.

apply_changes

4. Now, we need to assign that IP address to the device that we want to have unlimited access; we do this by associating the IP address with that device’s MAC address. Go to Services > DHCP Server.

Depending on your theme, the Services menu may be at the top or along the left side.

5. Look for the DHCP Static Mapping section at the bottom of the page.

Screenshot (18)

6. Add a new DHCP Static Mapping.

Get the MAC address of the computer for which you want unrestricted internet access. The IP address should match the one you put into the firewall rule in a previous step.
Get the MAC address of the computer for which you want unrestricted internet access. The IP address should match the one you put into the firewall rule in a previous step.

7. Verify that you see a new DHCP Static Mapping.

Screenshot (21)

8. Apply your changes and you’re done! The device you want now has unrestricted access through the firewall.

Screenshot (20)

Well, actually you’re almost done.  You may need to turn the WiFi off and on again for the device you selected in order for it to get the right IP.

Note that this method does not guarantee bandwidth for a given device. To do that, you’d have to implement the traffic shaper or bandwidth limiter. However, this does allow a single device (or more than one, if you repeat these steps for each device you want) Skype and Bitorrent when it’s blocked for all other devices.

If you want to turn off the unrestricted access, you can either remove the static DHCP mapping, or disable the firewall rule. I’d do the former if the device will only use unrestricted access once (like for a Mystery Skype), and the latter if you expect to grant unrestricted access again in the future (like for a director Skyping).

 

Leave a Reply

Your email address will not be published. Required fields are marked *