- Restrict WebGUI and SSH access to dedicated management networks.
- Change default admin credentials and disable password reuse.
- Use HTTPS-only WebGUI with a trusted internal certificate.
- Keep default deny on WAN and build explicit allow rules.
- Use aliases for maintainable policy and safer change reviews.
- Segment LAN, server, IoT, and guest networks with dedicated interfaces/VLANs.
¶ Remote Access and VPN
- Use OpenVPN or WireGuard for administrative remote access.
- Enforce certificate-based authentication with revocation support.
- Disable direct WAN access to admin services.
¶ DNS and Resolver Hardening
- Run Unbound in resolver mode with DNSSEC validation enabled.
- Block unauthorized outbound DNS from internal clients.
- Use split DNS for internal records and avoid exposing internal zones externally.
¶ Update and Package Control
- Keep pfSense CE and installed packages patched.
- Remove unused packages and disable experimental features in production.
- Backup configuration before upgrades and verify restore on a test node.
¶ Visibility and Response
- Ship firewall, VPN, and auth logs to a centralized log platform.
- Alert on repeated auth failures, config exports, and admin changes.
- Document incident response steps for firewall misconfiguration rollback.