We follow a whitelisting policy on our network, only allowing hosts through certain ports on the firewall, like 80 for HTTP and 443 for HTTPS. All other ports are blocked between 7am and 3pm. This helps us cut down on unwanted traffic, especially BitTorrent.
However, there are situations where we want to allow a host on the network access to wider range of ports. For example, Skype uses random ports to communicate; it’s not possible to whitelist it (unless you get Layer7 traffic shaping to work, which last I heard was dicey). When our teachers do Mystery Skypes or our director wants to interview prospective candidates they need unrestricted access through the firewall.
To do this, we set up a special IP address that has unlimited access, and assign that IP address to the computer we want using a static DHCP lease. What follows are the steps to do it.
1. Create a firewall rule as follows:
2. Move it to the top of your firewall rule list, since pfSense firewall rules are evaluated on a first-match basis.
3. Apply your changes.
4. Now, we need to assign that IP address to the device that we want to have unlimited access; we do this by associating the IP address with that device’s MAC address. Go to Services > DHCP Server.
5. Look for the DHCP Static Mapping section at the bottom of the page.
6. Add a new DHCP Static Mapping.
7. Verify that you see a new DHCP Static Mapping.
8. Apply your changes and you’re done! The device you want now has unrestricted access through the firewall.
Well, actually you’re almost done. You may need to turn the WiFi off and on again for the device you selected in order for it to get the right IP.
Note that this method does not guarantee bandwidth for a given device. To do that, you’d have to implement the traffic shaper or bandwidth limiter. However, this does allow a single device (or more than one, if you repeat these steps for each device you want) Skype and Bitorrent when it’s blocked for all other devices.
If you want to turn off the unrestricted access, you can either remove the static DHCP mapping, or disable the firewall rule. I’d do the former if the device will only use unrestricted access once (like for a Mystery Skype), and the latter if you expect to grant unrestricted access again in the future (like for a director Skyping).