While high-speed internet connectivity is becoming more and more common, many in the online world—especially those with residential connections or small office/home office (SOHO) setups—lack the hardware to fully take advantage of these speeds. Fiber-optic technology brings with it the promise of a gigabit speed or greater, and the technology surrounding traditional copper networks is also yielding improvements. Yet many people are using consumer-grade routers that offer, at best, mediocre performance.
pfSense, an open source router/firewall solution, is a far better alternative that is available to you. You have likely already downloaded, installed, and configured pfSense, possibly in a residential or SOHO environment. As an intermediate-level pfSense user, you do not need to be sold on the benefits of pfSense. Nevertheless, you may be looking to deploy pfSense in a different environment (for example, a corporate network), or you may just be looking to enhance your knowledge of pfSense. In either case, mastering the topics in this book will help you achieve these goals.
This chapter is designed to review the process of getting your pfSense system up and running. It will guide you through the process of choosing the right hardware for your deployment, but it will not provide a detailed treatment of installation and initial configuration. The emphasis will be on troubleshooting, as well as some of the newer configuration options.
This chapter will cover the following topics:
- A brief overview of the pfSense project
- pfSense deployment scenarios
- Minimum specifications and hardware sizing guidelines
- The best practices for installation and configuration
- Basic configuration from both the console and the pfSense web GUI
- A 64-bit Intel, AMD, or ARM-based system with a 500 MHz processor or greater, at least 512 MB of RAM, and 1 GB of disk space onto which pfSense will be installed
- A USB thumb drive with at least 1 GB of disk space, or blank CD media if you prefer using optical media, which will serve as the installation media
- Internet access, for downloading pfSense binaries
- A second computer system, for accessing the pfSense web GUI
- An Ethernet switch and cabling, or a crossover cable, for connecting the second computer system to the pfSense system
If you want to try out pfSense without doing an actual installation, you can create a pfSense virtual machine. While this chapter does not provide a guide to installing pfSense into a virtual environment, I recommend the following for running pfSense in a virtual machine:
- A 64-bit Intel or AMD-based system with a 2 GHz processor or greater, at least 8 GB of RAM, and enough disk space to accommodate the virtual hard drive (likely 8 GB or greater)
- Either a Type 1 or Type 2 hypervisor:
- Type 1 (bare-metal hypervisor; runs directly on the hardware):
- VMware ESXi
- Microsoft Hyper-V
- Type 2 (requires an OS):
- Proxmox (Linux)
- Oracle VM VirtualBox (Linux, Windows, mac OS, Solaris)
- Type 1 (bare-metal hypervisor; runs directly on the hardware):
Most likely you will have to create two virtual machines: one into which pfSense will be installed, and a second from which you will access the web GUI and test the functionality of the virtual pfSense system.
The origins of pfSense can be traced to the OpenBSD packet filter known as PF, which was incorporated into FreeBSD in 2001. As PF is limited to a command-line interface, several projects have been launched in order to provide a graphical interface for PF. m0n0wall, which was released in 2003, was the earliest attempt at such a project. pfSense began as a fork of the m0n0wall project.
Version 1.0 of pfSense was released on October 4, 2006. Version 2.0 was released on September 17, 2011. Version 2.1 was released on September 15, 2013, and Version 2.2 was released on January 23, 2015. Version 2.3, released on April 12, 2016, phased out support for legacy technologies such as the Point-to-Point Tunneling Protocol (PPTP), the Wireless Encryption Privacy (WEP) and Single DES, and also provided a facelift for the web GUI.
Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features and improving the web GUI. Support for 32-bit x86 architectures has been deprecated (security updates will continue for 32-bit systems, however, for at least a year after the release of 2.4), while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD's bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports OpenVPN 2.4.x, and as a result, features such as AES-GCM ciphers can be utilized. In addition, pfSense now supports multiple languages; the web GUI has been translated into 13 different languages. At the time of writing, version 2.4.2, released on November 21, 2017, is the most recent version.
Once you have decided to add a pfSense system to your network, you need to consider how it is going to be deployed on your network. pfSense is suitable for a variety of networks, from small to large ones, and can be employed in a variety of deployment scenarios. In this section, we will cover the following possible uses for pfSense:
- Perimeter firewall
- Wireless router/wireless access point
The most common way to add pfSense to your network is to use it as a perimeter firewall, as shown in the diagram. In this scenario, your internet connection is connected to one port on the pfSense system, and your local network is connected to another port on the system. The port connected to the internet is known as the WAN interface, and the port connected to the local network is known as the LAN interface:
Diagram showing deployment scenario in which pfSense is the firewall
If pfSense is your perimeter firewall, you may choose to set it up as a dedicated firewall, or you might want to have it perform the double duty of a firewall and a router. You may also choose to have more than two interfaces in your pfSense system (known as optional interfaces). In order to act as a perimeter firewall, however, a pfSense system requires at least two interfaces: a WAN interface (to connect to outside networks), and a LAN interface (to connect to the local network).
The perimeter firewall performs two broad functions. The first, monitoring and controlling inbound traffic, should be fairly obvious. Allowing certain traffic on certain ports, while blocking all other traffic, is a core function of all firewalls. The second, monitoring and controlling outbound traffic, might seem less obvious but is also important. Outbound web traffic tends to pass through the firewall unchallenged. This, however, leaves our network vulnerable to malware that targets web browsers. To protect our networks against such threats, we need to monitor outbound traffic as well.
It is commonplace to set up the networks behind the firewall with a split architecture, with assets accessible from the internet being kept separate from the rest of the network. In such cases, the internet-accessible resources are placed on a separate network generally referred to as the demilitarized zone (DMZ). If your network requires such a setup, you can easily do this with pfSense as your perimeter firewall, as we will see later.
In more complex network setups, your pfSense system may have to exchange routing information with other routers on the network. There are two types of protocols for exchanging such information: distance vector protocols obtain their routing information by exchanging information with neighboring routers; routers use link-state protocols to build a map of the network in order to calculate the shortest path to another router, with each router calculating distances independently. pfSense is capable of running both types of protocols. Packages are available for distance vector protocols such as RIP and RIPv2, and link-state protocols such as Border Gateway Protocol (BGP). These protocols will be discussed in greater detail in Chapter 10, Routing and Bridging.
Another common deployment scenario is to set up pfSense as a router. In a home or SOHO environment, firewall and router functions are often performed by the same device. In mid-sized to large networks, however, the router is a device separate from that of the perimeter firewall.
In larger networks, which have several network segments, pfSense can be used to connect these segments. Traditionally, using a router to connect multiple networks requires multiple network interfaces on the router. However, with VLANs, we can use a single network interface card (NIC) to operate in multiple broadcast domains via 802.1q tagging. VLANs are often used with the ever-popular router on a stick configuration, in which the router has a single physical connection to a switch (this connection is known as a trunk), with the single Ethernet interface divided into multiple VLANs, and the router forwarding packets between the VLANs. One of the advantages of this setup is that it only requires a single port, and, as a result, it allows us to use pfSense with systems on when adding another NIC would be cumbersome or even impossible: for example, a laptop or certain thin clients. We will cover VLANs in greater depth in Chapter 3, VLANS.
In most cases, where pfSense is deployed as a router on mid-sized and large networks, it would be used to connect different LAN segments; however, it could also be used as a WAN router. In this case, pfSense's function would be to provide a private WAN connection to the end user.
Another possible deployment scenario is to use pfSense as a switch. If you have multiple interfaces on your pfSense system and bridge them together, pfSense can function as a switch. This is a far less common scenario, however, for several reasons:
- Using pfSense as a switch is generally not cost effective. You can purchase a five-port Ethernet switch for less than what it would cost to purchase the hardware for a pfSense system. Buying a commercially available switch will also save you money in the long run, as they likely would consume far less power than whatever computer you would be using to run pfSense.
- Commercially available switches will likely outperform pfSense, as pfSense will process all packets that pass between ports, while a typical Ethernet switch will handle them locally with dedicated hardware made specifically for passing data between ports quickly. While you can disable filtering entirely in pfSense if you know what you're doing, you will still be limited by the speed of the bus on which your network cards reside, whether it is PCI, PCI-X, or PCI Express (PCI-e).
- There is also the administrative overhead of using pfSense as a switch. Simple switches are designed to be Plug and Play, and setting up these switches is as easy as plugging in your Ethernet cables and the power cord. Managed switches typically enable you to configure settings at the console and/or through a web interface, but in many cases, configuration is only necessary if you want to modify the operation of the switch. If you use pfSense as a switch, however, some configuration will be required.
If none of this intimidates you, then feel free to use pfSense as a switch. While you're not likely to achieve the performance level or cost savings of using a commercially available switch, you will likely learn a great deal about pfSense and networking in the process. Moreover, advances in hardware could make using pfSense as a switch viable at some point in the future. Advances in low-power consumption computers are one factor that could make this possible.
Yet another possibility is using pfSense as a wireless router/access point. A sizable proportion of modern networks incorporate some type of wireless connectivity. Connecting to a network's wireless is not only easier, but in some cases, running an Ethernet cable is not a realistic option. With pfSense, you can add wireless networking capabilities to your system by adding a wireless network card, provided that the network card is supported by FreeBSD.
Generally, however, using pfSense as a wireless router or access point is not the best option. Support for wireless network cards in FreeBSD leaves something to be desired. Support for the IEEE's 802.11b and g standards is okay, but support for 802.11n and 802.11ac is not very good.
A more likely solution is to buy a wireless router (even if it is one of the aforementioned consumer-grade units), set it up to act solely as an access point, connect it to the LAN port of your pfSense system, and let pfSense act as a Dynamic Host Configuration Protocol (DHCP) server. A typical router will work fine as a dedicated wireless access point, and they are more likely to support the latest wireless networking standards than pfSense. Another possibility is to buy a dedicated wireless access point. These are generally inexpensive and some have such features as multiple SSIDs, which allow you to set up multiple wireless networks (for example, you could have a separate guest network which is completely isolated from other local networks). Using pfSense as a router, in combination with a commercial wireless access point, is likely the least-troublesome option.
Once you have decided where to deploy pfSense on your network, you should have a clearer idea of what your hardware requirements are. As a minimum, you will need a CPU, motherboard, memory (RAM), some form of disk storage, and at least two network interfaces (unless you are opting for a router on a stick setup, in which case you only need one network interface). You may also need one or more optional interfaces.
The starting point for our discussion on hardware requirements is the pfSense minimum specifications. As of January 2018, the minimum hardware requirements are as follows (these specifications are from the official pfSense site, https://www.pfsense.org):
- CPU – 500 MHz (1 GHz recommended)
- RAM – 512 MB (1 GB recommended)
pfSense requires a 64-bit Intel (x86-64) or AMD (amd64) CPU. You should also use a CPU that supports the AES-NI instruction set extensions (or another hardware crypto offload), as such a CPU will be required, starting with version 2.5. There are three separate images provided for these architectures: CD, CD on a USB memstick, and an image for ARM-based Netgate systems. The active default console for the CD and CD on USB memstick images is VGA, while the active default console for the Netgate image is serial. The NanoBSD images (for embedded systems, which enabled the serial console by default) have been deprecated with the release of version 2.4. The serial console can be enabled on images which default to VGA via the web GUI under
A pfSense installation requires at least 1 GB of disk space. If you are installing on an embedded device, you can access the console either by a serial or VGA port. A step-by-step installation guide for the pfSense Live CD can be found on the official pfSense website at: https://doc.pfsense.org/index.php/Installing_pfSense.
Version 2.3 eliminated the Live CD, which allowed you to try out pfSense without installing it onto other media. If you really want to use the Live CD, however, you could use a pre-2.3 image (version 2.2.6 or earlier). You can always upgrade to the latest version of pfSense after installation.
Installation onto either a hard disk drive (HDD) or a solid-state drive (SSD) is the most common option for a full install of pfSense, whereas embedded installs typically use CF, SD, or USB media. A full install of the current version of pfSense will fit onto a 1 GB drive, but will leave little room for installation of packages or for log files. Any activity that requires caching, such as running a proxy server, will also require additional disk space.
The last installation option in the table is installation onto an embedded system using the Netgate ADI image. Netgate currently sells several ARM-based systems such as the SG-3100, which is advertised as an appliance that can be used in many deployment scenarios, including as a firewall, LAN or WAN router, VPN appliance, and DHCP or DNS server. It is targeted towards small and medium-sized businesses and may appeal to home and business users seeking a reliable firewall appliance with a low total cost of ownership. Storage (without upgrading) is limited to 8 GB of eMMC Flash, which would limit which packages could be installed. Another Netgate option is the SG-1000, which is a bare bones router with only 2 Ethernet ports, 512 MB of RAM and 4 GB of eMMC Flash.
The minimum hardware requirements are general guidelines, and you may want to exceed these minimums based on different factors. It may be useful to consider these factors when determining what CPU, memory, and storage device to use:
- For the CPU, requirements increase for faster internet connections.
Guidelines for the CPU and network cards can be found at the official pfSense site athttp://pfsense.org/hardware/#requirements.
The following general guidelines apply: the minimum hardware specifications (Intel/AMD CPU of 500 MHz or greater) are valid up to 20 Mbps. CPU requirements begin to increase at speeds greater than 20 Mbps.
- Connections of 100 Mbps or faster will require PCI-E network adapters to keep up with the increased network throughput.
If you intend to use pfSense to bridge interfaces—for example, if you want to bridge a wireless and wired network, or if you want to use pfSense as a switch—then the PCI bus speed should be considered. The PCI bus can easily become a bottleneck. Therefore, in such scenarios, using PCI-e hardware is the better option, as it offers up to 31.51 GBps (for PCI-e v. 4.0 on a 16-lane slot) versus 533 MBps for the fastest conventional PCI buses.
If you plan on using pfSense as a VPN server, then you should take into account the effect VPN usage will have on the CPU. Each VPN connection requires the CPU to encrypt traffic, and the more connections there are, the more the CPU will be taxed. Generally, the most cost-effective solution is to use a more powerful CPU. But there are ways to reduce the CPU load from VPN traffic. Soekris has the vpn14x1 product range; these cards offload the CPU of the computing intensive tasks of encryption and compression. AES-NI acceleration of IPSec also significantly reduces the CPU requirements.
If you have hundreds of simultaneous captive portal users, you will require slightly more CPU power than you would otherwise. Captive portal usage does not put as much of a load on the CPU as VPN usage, but if you anticipate having a lot of captive portal users, you will want to take this into consideration.
If you're not a power user, 512 MB of RAM might be enough for your pfSense system. This, however, would leave little room for the state table (where, as mentioned earlier, active connections are tracked). Each state requires about 1 KB of memory, which is less memory than some consumer-grade routers require, but you still want to be mindful of RAM if you anticipate having a lot of simultaneous connections. The other components of pfSense require 32 to 48 MB of RAM, and possibly more, depending on which features you are using, so you have to subtract that from the available memory in calculating the maximum state table size:
Installing packages can also increase your RAM requirements; Snort and ntop are two such examples. You should also probably not install packages if you have limited disk space. Proxy servers in particular use up a fair amount of disk space, which is something you should probably consider if you plan on installing a proxy server such as Squid.
The amount of disk space, as well as the form of storage you utilize, will likely be dictated by what packages you install, and what forms of logging you will have enabled. Some packages are more taxing on storage than others. Some packages require more disk space than others. Proxies such as Squid store web pages; anti-spam programs such as pfBlocker download lists of blocked IP addresses, and therefore require additional disk space. Proxies also tend to perform a great deal of read and write operations; therefore, if you are going to install a proxy, disk I/O performance is something you should likely take into consideration.
You may be tempted to opt for the cheapest NICs. However, inexpensive NICs often have complex drivers that offload most of the processing to the CPU. They can saturate your CPU with interrupt handling, thus causing missed packets. Cheaper network cards typically have smaller buffers (often no more than 300 KB), and when the buffers become full, packets are dropped. In addition, many of them do not support Ethernet frames that are larger than the maximum transmission unit (MTU) of 1,500 bytes. NICs that do not support larger frames cannot send or receive jumbo frames (frames with an MTU larger than 1,500 bytes), and therefore they cannot take advantage of the performance improvement that using jumbo frames would bring. In addition, such NICs will often have problems with VLAN traffic, since a VLAN tag increases the size of the Ethernet header beyond the traditional size limit.
The pfSense project recommends NICs based on Intel chipsets, and there are several reasons why such NICs are considered reliable. They tend to have adequately sized buffers, and do not have problems processing larger frames. Moreover, the drivers tend to be well-written and work well with Unix-based operating systems.
For a typical pfSense setup, you will need two network interfaces: one for the WAN and one for the LAN. Each additional subnet (for example, for a guest network) will require an additional interface, as will each additional WAN interface. It should be noted that you don't need an additional card for each interface added; you can buy a multiport network card (most of such cards have either two or four ports). You don't need to buy new NICs for your pfSense system; in fact, it is often economical to buy used NICs, and except in rare cases, the performance level will be the same.
If you want to incorporate wireless connectivity into your network, you may consider adding a wireless card to your pfSense system. As mentioned earlier, however, the likely better option is to use pfSense in conjunction with a separate wireless access point. If you do decide to add a wireless card to your system and configure it for use as an access point, you will want to check the FreeBSD hardware compatibility list before making a purchase.
You will also want to download the SHA256 checksum file in order to verify the integrity of the downloaded image. Verifying the integrity of downloads serves two purposes:
- It ensures that the download completed
- It safeguards against a party maliciously tampering with the images
In order to safeguard against the latter, however, be sure to download the checksum from a different mirror site than the site from which you downloaded the image. This provides an additional measure of security should an individual mirror site be compromised.
Windows has several utilities for displaying SHA256 hashes for a file. Under BSD and Linux, generating the SHA256 hash is as easy as typing the following command:
shasum -a 256 pfSense-LiveCD-2.4.2-RELEASE-amd64.iso.gz
This command generates the MD5 checksum for the 64-bit Live CD version for pfSense 2.4.2. You should compare the resulting hash with the contents of the
.sha256 file downloaded from one of the (other) mirrors.
The initial pfSense boot menu when booting from a CD or USB drive
- If the system hangs during the boot process, there are several options you can try. The first menu that appears, as pfSense boots, has several options. The last two options are
Configure Boot Options.
Kernelallows you to select which kernel to boot from among the available kernels.
- If the system hangs during the boot process, there are several options you can try. The first menu that appears, as pfSense boots, has several options. The last two options are
If you have a reason to suspect that the FreeBSD kernel being used is not compatible with your hardware, you might want to switch to the older version.
Configure Boot Options launches a menu (shown in the preceding screenshot) with several useful options. A description of these options can be found at: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/. Toggling
[A]CPI Support to
off can help in some cases, as ACPI's hardware discovery and configuration capabilities may cause the pfSense boot process to hang. If turning this off doesn't work, you could try booting in
Safe [M]ode, and if all else fails, you can toggle
[V]erbose mode to
On, which will give you detailed messages while booting.
- While booting, pfSense provides information about your hardware, including expansion buses supported, network interfaces found, and USB support. When this is finished, the graphical installer will launch and you will see the copyright and distribution notice.
Acceptand press Enter to accept these terms and conditions and continue with the installation.
- The installer then provides you with three options:
Rescue Shell, and
Recover config.xml. The
Rescue Shelloption launches a BSD shell prompt from which you can perform functions that might prove helpful in repairing a non-functional pfSense system.
For example, you can copy, delete and edit files from the shell prompt. If you suspect that a recent configuration change is what caused pfSense to break, however, and you saved the configuration file before making the change, the easiest way to fix your system may be to invoke
Recover config.xml and restore pfSense from the previously-saved
- The next screen provides keymap options. Version 2.4.2 supports 99 different keyboard layouts, including both QWERTY and Dvorak layouts. Highlighting a keymap option and pressing Enter selects that option. There's also an option to test the default keymap, and an option to continue with the default keymap.
Acceptand press Enter when you have selected a keymap.
- Next, the installer provides the following disk partitioning options:
Auto (ZFS). The first and last options allow you to format the disk with the
Unix File System (UFS)and Oracle's
- There are advantages and disadvantages to each filesystem, but the following table should help in your decision. Note that both filesystems support file ownership, and file creation/last access timestamps.
August 1983 (with BSD 4.2)
November 2005 (with OpenSolaris)
Maximum volume size
273 bytes (8 zebibytes)
2128 bytes (256 trillion yobibytes)
Maximum file size
273 bytes (8 zebibytes)
264 bytes (16 exbibytes)
Maximum filename length
Support for filesystem-level encryption
- In general, UFS is the tried-and-true filesystem, while ZFS was created with security in mind and incorporates many newer features such as filesystem-level encryption and data checksums.
pfSense does not support converting the filesystem to ZFS after installation; ZFS formatting must be done before installation.
Manual, as the name implies, allows you to manually create, delete and modify partitions. There are several choices for partition types; you can even create an
Apple Partition Map (APM)or a
DOSpartition, if that suits you. The
Shelloption drops you to a BSD shell prompt from which you can also manually create, delete and modify partitions, using shell commands.
- If you chose ZFS, the next screen will present a series of options that allow you to further configure your ZFS volume.
Pool Type/Disksallows you to select the type of redundancy. The default option is
stripe, which provides no redundancy at all. The
mirroroption provides for duplicate volumes, in which the array continues to operate as long as one drive is functioning. The
raid10option combines mirroring and striping (it is an array of mirrored drives). It requires at least four drives; the array continues to operate if one drive fails; up to half the drives in the RAID can fail so long as they aren't all from the same subset.
- The next three options, raidz1, raidz2, and raidz3, are non-standard RAID options. Like RAID levels 5 though, they achieve redundancy through a parity stripe, although the parity stripe in Z1, Z2 and Z3 are dynamically sized. RAID-Z1 requires at least three disks/volumes and allows one of them to fail without data loss; RAID-Z2 requires four disks/volumes and allows two to fail; RAID-Z3 requires five disks/volumes and allows three to fail.
The installer will not let you proceed unless your RAID set has the minimum number of volumes for the configuration you selected.
- If your ZFS RAID is configured correctly, the installer will next present you with a series of ZFS-specific options. You can change the
Pool Name(the default is
zroot), toggle Force 4K Sectors on or off depending on whether or not you want sectors to align on 4K boundaries, and toggle
Encrypt Diskson or off. You can also select a partition scheme for the system.
- The default is
GUID Partition Table (GPT), but the legacy
Master Boot Record (MBR)is also supported. You can set it up to boot in
Unified Extensible Firmware Interface (UEFI) mode, or, if your system supports it, both modes. UEFI-based systems, by specification, can only boot from GPT partitions, while some BIOS-based systems can boot from GPT partitions (and all BIOS-based systems can boot from MBR partitions). There is also support for the FreeBSD patch that fixes a bug that prevents GPT partitions from booting on some Lenovo systems (GPT + Lenovo Fix). You can also set the
Swap Size, toggle
Mirror Swapon or off, and toggle
Encrypt Swapon or off.
- After you have made all desired modifications you can proceed; the installer will format all selected volumes, extract the archive files and install pfSense. You will also be given an option to open a shell prompt to make any final modifications. Otherwise, you can reboot the system and run the newly installed copy of pfSense.
- If you were unable to install pfSense on to the target media, you may have to troubleshoot your system and/or installation media. If you are attempting to install from the CD, your optical drive may be malfunctioning, or the CD may be faulty.
- The default is
You may want to start with a known good bootable disc and see if the system will boot off of it. If it can, then your pfSense disk may be at fault; burning the disc again may solve the problem. If, however, your system cannot boot off the known good disc, then the optical drive itself, or the cables connecting the optical drive to the motherboard, may be at fault.
- In some cases, however, none of the aforementioned possibilities hold true, and it is possible that the FreeBSD boot loader will not work on the target system. If so, then you could opt to install pfSense on a different system.
- Another possibility is to install pfSense onto a hard drive on a separate system, then transfer the hard drive into the target system. In order to do this, go through the installation process on another system as you would normally until you get to the
Assign Interfacesprompt. When the installer asks if you want to assign VLANS, type
Assign Interfacesprompt to skip the interface assignment. Proceed through the rest of the installation; then power down the system and transfer the hard drive to the target system. Assuming that the pfSense hard drive is in the boot sequence, the system should boot pfSense and detect the system's hardware correctly. Then you should be able to assign network interfaces. The rest of the configuration can then proceed as usual.
- If you have not encountered any of these problems, the software should be installed on the target system, and you should get a dialog box telling you to remove the CD from the optical drive tray and press Enter. The system will now reboot, and you will be booting into your new pfSense install for the first time.
The console menu in pfSense 2.4.3
Some of the initial configuration must be done at the console, while some aspects of the configuration, such as VLAN and DHCP setup, can be done from either the console or the web GUI.
Configuration takes place in two phases. Some configuration must be done at the console, including interface configuration and interface IP address assignment. Some configuration steps, such as VLAN and DHCP setup, can be done both at the console and within the web GUI. On initial bootup, pfSense will automatically configure the WAN and LAN interfaces, according to the following parameters:
- Network interfaces will be assigned to device IDs
em1, and so on
- The WAN interface will be assigned to
em0, and the LAN interface will be assigned to
- The WAN interface will look to an upstream DHCP server for its IP address, while the LAN interface will initially be assigned an IP address of
You can, of course, accept these default assignments and proceed to the web GUI, but chances are you will need to change at least some of these settings. If you need to change interface assignments, select
1 from the menu.
On boot, you should eventually see a menu identical to the one seen on the CD version, with the boot multi or single user options, and other options. After a timeout period, the boot process will continue and you will get an
ptions menu. If the default interface assignments are unsatisfactory, select
1 from the menu to begin interface assignment. This is where the network cards installed in the system are given their roles as WAN, LAN, and optional interfaces (OPT1, OPT2, and so on).
If you select this option, you will be presented with a list of network interfaces. This list provides four pieces of information:
- pfSense's device name for the interface (
em1, and so on)
- The MAC address of the interface
- The link state of the interface (up if a link is detected; down otherwise)
- The manufacturer and model of the interface (Intel PRO 1000, for example)
As you are probably aware, generally speaking, no two network cards have the same MAC address, so each of the interfaces in your system should have a unique MAC address.
- To begin the configuration, select
1and Enter for the
- After that, a prompt will show up for VLAN configuration.
We will cover VLAN configuration in Chapter 4, Using pfSense as a Firewall, and we will cover both configuration from the command line and web GUI VLAN configuration.
- If you wish to set up VLANs, see Chapter 3, VLANs. Otherwise, type
nand press Enter. Keep in mind that you can always configure VLANs later on.
- The interfaces must be configured, and you will be prompted for the WAN interface first.
- If you only configure one interface, it will be assigned to the WAN, and you will subsequently be able to log in to pfSense through this port.
This is not what you would normally want, as the WAN port is typically accessible from the other side of the firewall.
- When at least one other interface is configured, you will no longer be able to log in to pfSense from the WAN port. Unless you are using VLANs, you will have to set up at least two network interfaces.
In pfSense, network interfaces are assigned rather cryptic device names (for example,
em1, and so on) and it is not always easy to know which ports correspond to particular device names. One way of solving this problem is to use the automatic interface assignment feature.
The process is repeated with each successive interface.
- The LAN interface is configured next, then each of the optional interfaces (OPT1, OPT2).
If auto-detection does not work, or you do not want to use it, you can always choose manual configuration. You can always reassign network interfaces later on, so even if you make a mistake on this step, the mistake can be easily fixed.
- Once you have finished configuration, type
Do you want to proceed?prompt, or type
nand press Enter to re-assign the interfaces.
- Option two on the menu is
Set interface(s) IP address, and you will likely want to complete this step as well. When you invoke this option, you will be prompted to specify which interface's IP address is to be set.
- If you select
WAN interface, you will be asked if you want to configure the IP address via DHCP. In most scenarios, this is probably the option you want to choose, especially if pfSense is acting as a firewall. In that case, the WAN interface will receive an IP address from your ISP's DHCP server. For all other interfaces (or if you choose not to use DHCP on the WAN interface), you will be prompted to enter the interface's IPv4 address.
- The next prompt will ask you for the subnet bit count. In most cases, you'll want to enter
8if you are using a Class A private address,
16for Class B, and
24for Class C, but if you are using classless subnetting (for example, to divide a Class C network into two separate networks), then you will want to set the bit count accordingly.
- You will also be prompted for the IPv4 gateway address (any interface with a gateway set is a WAN, and pfSense supports multiple WANs); if you are not configuring the WAN interface(s), you can just hit Enter here.
- Next, you will be prompted to provide the address, subnet bit count, and gateway address for IPv6; if you want your network to fully utilize IPv6 addresses, you should enter them here.
The advantages of IPv6 over IPv4 will be discussed more fully in Chapter 2, Advanced pfSense Configuration.
We have now configured as much as we need to from the console (actually, we have done more than we have to, since we really only have to configure the WAN interface from the console). The remainder of the configuration can be done from the pfSense web GUI.
The pfSense web GUI can only be accessed from another PC. If the WAN was the only interface assigned during the initial setup, then you will be able to access pfSense through the WAN IP address. Once one of the local interfaces is configured (typically the LAN interface), pfSense can no longer be accessed through the WAN interface. You will, however, be able to access pfSense from the local side of the firewall (typically through the LAN interface). In either case, you can access the web GUI by connecting another computer to the pfSense system, either directly (with a crossover cable) or indirectly (through a switch), and then typing either the WAN or LAN IP address into the connected computer's web browser.
If you enabled the LAN interface but did not enable DHCP on LAN, or if you are accessing the web GUI on another computer on the LAN network, you must statically set the IP address on that computer to a valid IP address for the LAN network (for example, if the LAN interface IP address is
192.168.1.1 and the LAN network is
192.168.1.0/24, set it to
192.168.1.2 or any number other than 1 for the last octet).
- When you initially log in to pfSense, the default username/password combination will be admin/pfsense, respectively.
- On your first login, the Setup Wizard will begin automatically.
- Click on the
Nextbutton to begin configuration.
If you need to run the Setup Wizard after your initial login, select
Setup Wizard from the top menu.
- The first screen provides a link for information about a pfSense Gold Netgate Global Support subscription. You can click on the link to sign up to learn more, or click on the
- On the next screen, you will be prompted to enter the hostname of the router as well as the domain. Hostnames can contain letters, numbers, and hyphens, but must begin with a letter. If you have a domain, you can enter it in the appropriate field.
- In the
Primary DNS Serverand
Secondary DNS Serverfields, you can enter your DNS servers. If you are using DHCP for your WAN, you can probably leave these fields blank, as they will usually be assigned automatically by your ISP. However, your ISP's DNS servers may not be reliable. There are many third party DNS servers available, including OpenDNS (
220.127.116.11) and Google Public DNS (
18.104.22.168). Uncheck the
Override DNScheckbox if you want to use third party DNS servers rather than the DNS servers used by your ISP. Click on
- The next screen will prompt you for the Network Time Protocol (NTP) server as well as the local time zone. The NTP server configuration will be covered in greater detail in the next chapter; you can keep the default value for the server hostname for now. For the
Timezonefield, you should select the zone which matches your location and click on
- The next screen of the wizard is the WAN configuration page.
In most scenarios, you won't need to make any further changes to the WAN in comparison to what was done at the console (at least initially; a multi-WAN setup is more involved and will be discussed more fully in Chapter 9, Multiple WANs).
If you need to make changes, however, there are several options on this page.
Selected Type, you have several options, but the most commonly used options are
DHCP(the default type) or
Static. If your pfSense system is behind another firewall and it is not going to receive an IP address from an upstream DHCP server, then you probably should choose
Static. If pfSense is going to be a perimeter firewall, however, then
DHCPis likely the correct setting, since your ISP will probably dynamically assign an IP address (this is not always the case, as you may have an IP address statically assigned to you by your ISP, but it is the more likely scenario).
- The other choices are Point-to-Point Protocol over Ethernet (PPPoE) and Point-to-Point Tunneling Protocol (PPTP). Your ISP may require that you use one of these options for the WAN interface; if you are not sure, check with them.
- If you selected either
PPTP, you will have to scroll down to the appropriate part of the page to enter parameters for these connections.
- At a minimum, you will likely have to enter the Username and Password for such connections. In addition, PPTP requires that you enter a local IP address and a remote IP address.
dial-on-demandcheckbox for PPPoE and PPTP connections allows you to connect to your ISP only when a user requests data that requires an internet connection. Both PPPoE and PPTP support an
Idle timeoutsetting, which specifies how long the connection will be kept open after transmitting data when this option is invoked. Leaving this field blank disables this function.
PPP (Point-to-Point Protocol) and L2TP (Layer 2 Tunneling Protocol) are also valid choices for the WAN configuration type. However, the Setup Wizard does not allow the user to select either of these. In order to select PPP or L2TP, navigate to
Interfaces | WAN from the top menu, and select
L2TPin either the
IPv4 Configuration Typeor
IPv6 Configuration Typedrop-down box (or both). Setup is similar to the setup for PPPoE and PPTP – you will have to enter a Username and Password – and in the case of PPP, you will also have to enter your ISP's phone number in the
- We can now turn our attention to the
General Configurationsection. The
MAC addressfield allows you to enter a MAC address that is different from the actual MAC address of the WAN interface. This can be useful if your ISP will not recognize an interface with a different MAC address than the device that was previously connected, or if you want to acquire a different IP address (changing the MAC address will cause the upstream DHCP server to assign a different address).
- If you use this option, make sure the portion of the address reserved for the Organizationally Unique Identifier (OUI) is a valid OUI – in other words, an OUI assigned to a network card manufacturer. (The OUI portion of the address is the first three bytes of a MAC-48 address and the first five bytes of an EUI-48 address).
- The next few fields can usually be left blank.
Maximum Transmission Unit (MTU)allows you to change the MTU size if necessary.
DHCP hostnameallows you to send a hostname to your ISP when making a DHCP request, which is useful if your ISP requires this.
Block RFC1918 Private Networkscheckbox, if checked, will block registered private networks (as defined by RFC 1918) from connecting to the WAN interface. The
Block Bogon Networksoption blocks traffic from reserved and/or unassigned IP addresses. For the WAN interface, you should check both options unless you have special reasons for not invoking these options. Click the
Nextbutton when you are done.
- The next screen provides fields in which you can change the
- You can keep the default, or change it to another value within the private address blocks. You may want to choose an address range other than the very common
192.168.1.xin order to avoid a conflict.
- Be aware that if you change the LAN IP address value, you will also need to adjust your PC's IP address, or release and renew its DHCP lease when finished with the network interface. You will also have to change the pfSense IP address in your browser to reflect the change.
- The final screen of the pfSense Setup Wizard allows you to change the admin password, which you should do now.
- Enter the password, enter it again for confirmation in the next edit box, and click on
- Later on, you can create another administrator account with a username other than admin and disable the admin account, for additional security, unless you plan on setting up multiple firewalls for high availability, in which case you will need to retain the admin account.
- On the following screen, there will be a
Reloadbutton; click on
Reload. This will reload pfSense with the new changes.
- Once you have completed the wizard, you should have network connectivity. Although there are other means of making changes to pfSense's configuration, if you want to repeat the wizard, you can do so by navigating to
Setup Wizard. Completion of the wizard will take you to the pfSense dashboard.
By now, both the WAN and LAN interface configurations should be complete. Although additional interface configurations can be done at the console, it can also be done (and somewhat more conveniently so) in the web GUI.
- To add optional interfaces, navigate to the
Assignmentstab, which will show a list of assigned interfaces, and at the bottom of the table, there will be an
Available network portsoption.
- There will be a corresponding drop-down box with a list of unassigned network ports. These will have device names such as
em1, and so on.
- To assign an unused port, select the port you want to assign from the drop-down box, and click on the + button to the right.
- The page will reload, and the new interface will be the last entry in the table. The name of the interface will be
xequals the number of optional interfaces.
- By clicking on
interface name, you can configure the interface.
Nearly all the settings here are similar to the settings that were available on the WAN and LAN configuration pages in the pfSense Setup Wizard.
Some of the options under the
General Configuration section, that are not available in the Setup Wizard, are
MSS (Maximum Segment Size), and
Speed and duplex. Normally, MSS should remain unchanged, although you can change this setting if your internet connection requires it.
- If you click on the
Speed and duplex, a drop-down box will appear in which you can explicitly set the speed and duplex for the interface. Since virtually all modern network hardware has the capability of automatically selecting the correct speed and duplex, you will probably want to leave this unchanged.
- The section at the bottom of the page,
Reserved Networks, allows you to enable
Block private networks and loopback addressesand
Block bogon networksvia their respective checkboxes. Although these options are checked by default when configuring the WAN interface, we normally want to allow private networks on internal interfaces, so these options are normally not enabled when configuring non-WAN interfaces.
- If you chose an option other than
Configuration Type, then other options will appear.
Since it is unlikely that internal interfaces will be configured as such, further discussion of these options will take place in the next section on WAN configuration.
Most likely, you won't have to do any additional configuration for the WAN interface; the configuration done in the Setup Wizard will be enough to get you started. If you need to make changes, however, follow these steps:
- Navigate to
WANin the main menu.
- The most likely scenario is that your ISP will provide an IP address via DHCP, but many providers will provide you with a static IP address if you require one. In such cases, you will need to set your
Staticand then enter your WAN IP address and CIDR under either the
Static IPv4 Configurationor
Static IPv6 Configuration(or possibly both, if you plan to have both an IPv4 and IPv6 address).
- You will also need to specify your ISP's gateway, which you can do by clicking on the
Add a new gatewaybutton. A dialog box will appear in which you can enter the IP address and a description.
- If you have selected
DHCPas the configuration type, then there are several options in addition to the ones available in the Setup Wizard. Clicking on the
Advancedcheckbox in the DHCP client configuration causes several additional options to appear in this section of the page.
- The first is
Protocol Timing, which allows you to control DHCP protocol timings when requesting a lease. You can also choose several presets (
Saved Cfg) using the radio buttons on the right.
- There is also a
Configuration Overridecheckbox which, if checked, allows you to specify the absolute path to a DHCP client configuration file in the
Configuration Override Fileedit box. If your ISP supports pfSense, it should be able to provide you with a valid configuration override file.
- If the
Configuration Overridecheckbox is not checked, there will be three edit boxes in this section under the checkboxes. The first is
Hostname; this field is sent as a DHCP hostname and client identifier when requesting a DHCP lease.
Alias IPv4 addressallows you to enter a fixed IP address for the DHCP client. The
Reject Leases fromfield allows you to specify the IP address or subnet of an upstream DHCP server to be ignored.
- The next section is
Lease Requirements and Requests. Here you can specify
requireoptions when requesting a DHCP lease. These options are useful if your ISP requires these options. The last section is
Option Modifiers, where you can add
DHCP option modifiers, which are applied to an obtained DHCP lease.
- The first is
- Starting with pfSense version 2.2.5, there is support for IPv6 with DHCP (DHCP6). If you are running 2.2.5 or above, there will be a section on the page called
DHCP6 client configuration.
- Similar to the configuration for IPv4 DHCP, there are checkboxes for
- Checking the
Advancedcheckbox in the heading of this section displays the
Advanced DHCP 6options:
- If you check the
Information Onlycheckbox on the left, pfSense will send requests for stateless DHCPv6 information.
- You can specify
Requestoptions, just as you can for IPv4.
- There is also a
tfield where you can enter the absolute path to a script that will be invoked on certain conditions.
- The next options are for the
Identity Association Statementcheckboxes. The
NonTemporary Address Allocationcheckbox results in normal, that is, not temporary, IPv6 addresses to be allocated for the interface. The
Prefix Delegationcheckbox causes a set of IPv6 prefixes to be allocated from the DHCP server.
- The next set of options,
Authentication Statement, allows you to specify authentication parameters to the DHCP server. The
Authnameparameter allows you to specify a string, which in turn specifies a set of parameters.
- The remaining parameters are of limited usefulness in configuring a DHCP6 client, because each has only one allowed value, and leaving them blank will result in only the allowed value being used. If you are curious as to what these values are here they are:
- If you check the
Key info Statementallows you to enter a secret key. The required fields are
key id, which identifies the key, and
secret, which provides the shared secret.
realmare arbitrary strings and may be omitted.
expiremay be used to specify an expiration time for the key, but if it is omitted, the key will never expire.
- If you do not check the configuration override checkbox (in which case you will specify a configuration override file, similar to how this option works with DHCP over IPv4), there will be several more options in this
DHCP Client Configurationsection.
Use IPv4 connectivity as parent interfaceallows you to request an IPv6 prefix over an IPv4 link.
Request only an IPv6 prefixallows you to request just the prefix, not an address.
DHCPv6 Prefix Delegation sizeallows you to specify the prefix length.
- You can check the
Send IPv6 prefix hintto indicate the desired prefix length,
Debugfor debugging, and select
Do not wait for an RA(router advertisement) and/or
Do not allow PD/Address release,if your ISP requires it.
- If you do not check the configuration override checkbox (in which case you will specify a configuration override file, similar to how this option works with DHCP over IPv4), there will be several more options in this
- The last section on the page is identical to the interface configuration page in the Setup Wizard, and contains the
Block Private Networksand
Block Bogon Networkscheckboxes.
You can find several configuration options under
General Setup. Most of these are identical to settings that can be configured in the Setup Wizard (
NTP server). There are two additional settings available:
Languagedrop-down box allows you to select the web configurator language.
- Under the
Web Configuratorsection, there is a
Themedrop-down box that allows you to select the theme. The default theme of pfSense is perfectly adequate, but you can select another one here. There are several new theme options available for version 2.4, so if you have not tried these, you may want to do so.
pfSense 2.3 added new options to control the look and feel of the web interface and 2.4 has added some more; these settings are also found in the
Web Configurator section of the
General Settings page:
- The top navigation drop-down box allows you to choose whether the top navigation scrolls with the page, or remains anchored at the top as you scroll.
Menuoption allows you to replace the
Helpmenu title with the system name or fully qualified domain name (FQDN).
Dashboard Columnsoption allows you to select the number of columns on the dashboard page (the default is
- The next set of options is
Associated Panels Show/Hide. These options control the appearance of certain panels on the
System Logspage. The options are:
Available Widgets: Checking this box causes the
Available Widgetspanel to appear on the
Dashboard. Prior to version 2.3, the
Available Widgetspanel was always visible on the
Log Filter: Checking this box causes the
Advanced Log Filterpanel to appear on the
Advanced Log Filterallows you to filter the system logs by time, process, PID, and message.
Manage Log: Checking this box causes the
Manage General Logpanel to appear on the
System Logspage. The
Manage General Logpanel allows you to control the display of the logs, how big the log file may be, and the formatting of the log file, among other things.
Monitoring Settings: Checking this box causes the
Settingssection to appear on the
Monitoringpage, which allows custom configuration of the interactive graph on that page.
Require State Filtercheckbox, if checked, causes the state table in
Statesto only appear if a filter is entered.
- The last option on this page,
Left Column Labels, allows you to select/toggle the first item in a group by clicking on the left column if checked.
- The last three options on the page were added with version 2.4:
Alias Popupscheckbox, if checked, will disable showing the details of an alias in alias popups that appear when dragging the mouse over an alias on the
Login page colordrop-down box allows you to customize the login page color; the current default color is blue.
- Finally, the
Login hostnamecheckbox, when checked, will display the hostname on the login page. Having the hostname on the login page can be a helpful reminder if you are managing a large network with several firewalls, but it also potentially gives away what network is being secured.
- Click on
Saveat the bottom of the page to save any changes.
The goal of this chapter was to provide a brief overview of how to get pfSense up and running. Completion of this chapter should give you an idea of where to deploy pfSense on your network, as well as what hardware to utilize. You should also know how to troubleshoot common installation problems and how to do basic system configuration in the most common deployment scenarios.
We have barely scratched the surface here, however, and in the next chapter we will cover some of the more advanced configuration options. We will cover DHCP and DHCPv6, DNS and Dynamic DNS, as well as other capabilities you are likely to consider utilizing, such as captive portal, the Network Time Protocol (NTP), and the Simple Network Management Protocol.
The learning curve becomes somewhat steeper after this chapter, but fear not: if you have a solid understanding of computer networks and how they work, mastering pfSense can be both educational and fun.
Answer the following questions:
- What term is used to refer to a network that is separate from the rest of the local network and provides services to users outside of the local network?
- What are the minimum specifications for pfSense in terms of CPU, RAM and disk space?
- How much memory does a state table entry require?
- Why is it a good idea to use checksums?
- What is the best filesystem choice for an organization that (a) requires support for filesystem-level encryption and data deduplication? (b) requires maximum backward compatibility?
- Identify the two places from which interface assignment can be done in pfSense.
- Identify at least four different valid configuration types for a pfSense interface.
- What is the default setting for
Block Private Networks and loopback addresses(a) on the WAN interface? (b) an the LAN interface? (c) why?
- Identify two places within the web GUI where the time zone can be set.
- Identify at least three parameters that can be set in the Setup Wizard.
- The official pfSense documentation wiki is a good place to get started. There you will find a guide for downloading and installing pfSense, a features list, a packages list and documentation for packages, as well as an FAQ document. You can find the wiki at: https://doc.pfsense.org/index.php/Main_Page.
- During the WAN and LAN configuration, you may have noticed the description of block private addresses and loopback addresses makes reference to RFC 1918 and RFC 4193. RFC stands for Request for Comments; these are documents published by theInternet Engineering Task Force(IETF), and in spite of their deceptively informal title, RFCs are actually specifications and standards for internet-related technologies. RFC 1918 and 4193, for example,describe private addressing for IPv4 and IPv6 networks respectively. If you wish to read an RFC, navigate to: https://tools.ietf.org/html/, which allows you to retrieve RFCs by numbers or draft names.