While high-speed internet connectivity is becoming more and more common, many in the online world—especially those with residential connections or small office/home office (SOHO) setups—lack the hardware to fully take advantage of these speeds. Fiber-optic technology brings with it the promise of a gigabit speed or greater, and the technology surrounding traditional copper networks is also yielding improvements. Yet many people are using consumer-grade routers that offer, at best, mediocre performance.
pfSense, an open source router/firewall solution, is a far better alternative that is available to you. You have likely already downloaded, installed, and configured pfSense, possibly in a residential or SOHO environment. As an intermediate-level pfSense user, you do not need to be sold on the benefits of pfSense. Nevertheless, you may be looking to deploy pfSense in a different environment (for example, a corporate network), or you may just be looking to enhance your knowledge of pfSense. In either case, mastering the topics in this book will help you achieve these goals.
This chapter is designed to review the process of getting your pfSense system up and running. It will guide you through the process of choosing the right hardware for your deployment, but it will not provide a detailed treatment of installation and initial configuration. The emphasis will be on troubleshooting, as well as some of the newer configuration options.
This chapter will cover the following topics:
- A brief overview of the pfSense project
- pfSense deployment scenarios
- Minimum specifications and hardware sizing guidelines
- The best practices for installation and configuration
- Basic configuration from both the console and the pfSense web GUI
The following equipment is required for installing and configuring pfSense 2.4:
- A 64-bit Intel, AMD, or ARM-based system with a 500 MHz processor or greater, at least 512 MB of RAM, and 1 GB of disk space onto which pfSense will be installed
- A USB thumb drive with at least 1 GB of disk space, or blank CD media if you prefer using optical media, which will serve as the installation media
- Internet access, for downloading pfSense binaries
- A second computer system, for accessing the pfSense web GUI
- An Ethernet switch and cabling, or a crossover cable, for connecting the second computer system to the pfSense system
If you want to try out pfSense without doing an actual installation, you can create a pfSense virtual machine. While this chapter does not provide a guide to installing pfSense into a virtual environment, I recommend the following for running pfSense in a virtual machine:
- A 64-bit Intel or AMD-based system with a 2 GHz processor or greater, at least 8 GB of RAM, and enough disk space to accommodate the virtual hard drive (likely 8 GB or greater)
- Either a Type 1 or Type 2 hypervisor:
- Type 1 (bare-metal hypervisor; runs directly on the hardware):
- VMware ESXi
- Microsoft Hyper-V
- Type 2 (requires an OS):
- Proxmox (Linux)
- Oracle VM VirtualBox (Linux, Windows, mac OS, Solaris)
- Type 1 (bare-metal hypervisor; runs directly on the hardware):
Most likely you will have to create two virtual machines: one into which pfSense will be installed, and a second from which you will access the web GUI and test the functionality of the virtual pfSense system.
The origins of pfSense can be traced to the OpenBSD packet filter known as PF, which was incorporated into FreeBSD in 2001. As PF is limited to a command-line interface, several projects have been launched in order to provide a graphical interface for PF. m0n0wall, which was released in 2003, was the earliest attempt at such a project. pfSense began as a fork of the m0n0wall project.
Version 1.0 of pfSense was released on October 4, 2006. Version 2.0 was released on September 17, 2011. Version 2.1 was released on September 15, 2013, and Version 2.2 was released on January 23, 2015. Version 2.3, released on April 12, 2016, phased out support for legacy technologies such as the Point-to-Point Tunneling Protocol (PPTP), the Wireless Encryption Privacy (WEP) and Single DES, and also provided a facelift for the web GUI.
Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features and improving the web GUI. Support for 32-bit x86 architectures has been deprecated (security updates will continue for 32-bit systems, however, for at least a year after the release of 2.4), while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD's bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports OpenVPN 2.4.x, and as a result, features such as AES-GCM ciphers can be utilized. In addition, pfSense now supports multiple languages; the web GUI has been translated into 13 different languages. At the time of writing, version 2.4.2, released on November 21, 2017, is the most recent version.
Once you have decided to add a pfSense system to your network, you need to consider how it is going to be deployed on your network. pfSense is suitable for a variety of networks, from small to large ones, and can be employed in a variety of deployment scenarios. In this section, we will cover the following possible uses for pfSense:
- Perimeter firewall
- Wireless router/wireless access point
The most common way to add pfSense to your network is to use it as a perimeter firewall, as shown in the diagram. In this scenario, your internet connection is connected to one port on the pfSense system, and your local network is connected to another port on the system. The port connected to the internet is known as the WAN interface, and the port connected to the local network is known as the LAN interface:
If pfSense is your perimeter firewall, you may choose to set it up as a dedicated firewall, or you might want to have it perform the double duty of a firewall and a router. You may also choose to have more than two interfaces in your pfSense system (known as optional interfaces). In order to act as a perimeter firewall, however, a pfSense system requires at least two interfaces: a WAN interface (to connect to outside networks), and a LAN interface (to connect to the local network).
The perimeter firewall performs two broad functions. The first, monitoring and controlling inbound traffic, should be fairly obvious. Allowing certain traffic on certain ports, while blocking all other traffic, is a core function of all firewalls. The second, monitoring and controlling outbound traffic, might seem less obvious but is also important. Outbound web traffic tends to pass through the firewall unchallenged. This, however, leaves our network vulnerable to malware that targets web browsers. To protect our networks against such threats, we need to monitor outbound traffic as well.
It is commonplace to set up the networks behind the firewall with a split architecture, with assets accessible from the internet being kept separate from the rest of the network. In such cases, the internet-accessible resources are placed on a separate network generally referred to as the demilitarized zone (DMZ). If your network requires such a setup, you can easily do this with pfSense as your perimeter firewall, as we will see later.
In more complex network setups, your pfSense system may have to exchange routing information with other routers on the network. There are two types of protocols for exchanging such information: distance vector protocols obtain their routing information by exchanging information with neighboring routers; routers use link-state protocols to build a map of the network in order to calculate the shortest path to another router, with each router calculating distances independently. pfSense is capable of running both types of protocols. Packages are available for distance vector protocols such as RIP and RIPv2, and link-state protocols such as Border Gateway Protocol (BGP). These protocols will be discussed in greater detail in Chapter 10, Routing and Bridging.
Another common deployment scenario is to set up pfSense as a router. In a home or SOHO environment, firewall and router functions are often performed by the same device. In mid-sized to large networks, however, the router is a device separate from that of the perimeter firewall.
In larger networks, which have several network segments, pfSense can be used to connect these segments. Traditionally, using a router to connect multiple networks requires multiple network interfaces on the router. However, with VLANs, we can use a single network interface card (NIC) to operate in multiple broadcast domains via 802.1q tagging. VLANs are often used with the ever-popular router on a stick configuration, in which the router has a single physical connection to a switch (this connection is known as a trunk), with the single Ethernet interface divided into multiple VLANs, and the router forwarding packets between the VLANs. One of the advantages of this setup is that it only requires a single port, and, as a result, it allows us to use pfSense with systems on when adding another NIC would be cumbersome or even impossible: for example, a laptop or certain thin clients. We will cover VLANs in greater depth in Chapter 3, VLANS.
In most cases, where pfSense is deployed as a router on mid-sized and large networks, it would be used to connect different LAN segments; however, it could also be used as a WAN router. In this case, pfSense's function would be to provide a private WAN connection to the end user.
Another possible deployment scenario is to use pfSense as a switch. If you have multiple interfaces on your pfSense system and bridge them together, pfSense can function as a switch. This is a far less common scenario, however, for several reasons:
- Using pfSense as a switch is generally not cost effective. You can purchase a five-port Ethernet switch for less than what it would cost to purchase the hardware for a pfSense system. Buying a commercially available switch will also save you money in the long run, as they likely would consume far less power than whatever computer you would be using to run pfSense.
- Commercially available switches will likely outperform pfSense, as pfSense will process all packets that pass between ports, while a typical Ethernet switch will handle them locally with dedicated hardware made specifically for passing data between ports quickly. While you can disable filtering entirely in pfSense if you know what you're doing, you will still be limited by the speed of the bus on which your network cards reside, whether it is PCI, PCI-X, or PCI Express (PCI-e).
- There is also the administrative overhead of using pfSense as a switch. Simple switches are designed to be Plug and Play, and setting up these switches is as easy as plugging in your Ethernet cables and the power cord. Managed switches typically enable you to configure settings at the console and/or through a web interface, but in many cases, configuration is only necessary if you want to modify the operation of the switch. If you use pfSense as a switch, however, some configuration will be required.
If none of this intimidates you, then feel free to use pfSense as a switch. While you're not likely to achieve the performance level or cost savings of using a commercially available switch, you will likely learn a great deal about pfSense and networking in the process. Moreover, advances in hardware could make using pfSense as a switch viable at some point in the future. Advances in low-power consumption computers are one factor that could make this possible.
Yet another possibility is using pfSense as a wireless router/access point. A sizable proportion of modern networks incorporate some type of wireless connectivity. Connecting to a network's wireless is not only easier, but in some cases, running an Ethernet cable is not a realistic option. With pfSense, you can add wireless networking capabilities to your system by adding a wireless network card, provided that the network card is supported by FreeBSD.
Generally, however, using pfSense as a wireless router or access point is not the best option. Support for wireless network cards in FreeBSD leaves something to be desired. Support for the IEEE's 802.11b and g standards is okay, but support for 802.11n and 802.11ac is not very good.
A more likely solution is to buy a wireless router (even if it is one of the aforementioned consumer-grade units), set it up to act solely as an access point, connect it to the LAN port of your pfSense system, and let pfSense act as a Dynamic Host Configuration Protocol (DHCP) server. A typical router will work fine as a dedicated wireless access point, and they are more likely to support the latest wireless networking standards than pfSense. Another possibility is to buy a dedicated wireless access point. These are generally inexpensive and some have such features as multiple SSIDs, which allow you to set up multiple wireless networks (for example, you could have a separate guest network which is completely isolated from other local networks). Using pfSense as a router, in combination with a commercial wireless access point, is likely the least-troublesome option.
Once you have decided where to deploy pfSense on your network, you should have a clearer idea of what your hardware requirements are. As a minimum, you will need a CPU, motherboard, memory (RAM), some form of disk storage, and at least two network interfaces (unless you are opting for a router on a stick setup, in which case you only need one network interface). You may also need one or more optional interfaces.
The starting point for our discussion on hardware requirements is the pfSense minimum specifications. As of January 2018, the minimum hardware requirements are as follows (these specifications are from the official pfSense site, https://www.pfsense.org):
- CPU – 500 MHz (1 GHz recommended)
- RAM – 512 MB (1 GB recommended)
pfSense requires a 64-bit Intel (x86-64) or AMD (amd64) CPU. You should also use a CPU that supports the AES-NI instruction set extensions (or another hardware crypto offload), as such a CPU will be required, starting with version 2.5. There are three separate images provided for these architectures: CD, CD on a USB memstick, and an image for ARM-based Netgate systems. The active default console for the CD and CD on USB memstick images is VGA, while the active default console for the Netgate image is serial. The NanoBSD images (for embedded systems, which enabled the serial console by default) have been deprecated with the release of version 2.4. The serial console can be enabled on images which default to VGA via the web GUI under System | Advanced.
A pfSense installation requires at least 1 GB of disk space. If you are installing on an embedded device, you can access the console either by a serial or VGA port. A step-by-step installation guide for the pfSense Live CD can be found on the official pfSense website at: https://doc.pfsense.org/index.php/Installing_pfSense.
Version 2.3 eliminated the Live CD, which allowed you to try out pfSense without installing it onto other media. If you really want to use the Live CD, however, you could use a pre-2.3 image (version 2.2.6 or earlier). You can always upgrade to the latest version of pfSense after installation.
Installation onto either a hard disk drive (HDD) or a solid-state drive (SSD) is the most common option for a full install of pfSense, whereas embedded installs typically use CF, SD, or USB media. A full install of the current version of pfSense will fit onto a 1 GB drive, but will leave little room for installation of packages or for log files. Any activity that requires caching, such as running a proxy server, will also require additional disk space.
The last installation option in the table is installation onto an embedded system using the Netgate ADI image. Netgate currently sells several ARM-based systems such as the SG-3100, which is advertised as an appliance that can be used in many deployment scenarios, including as a firewall, LAN or WAN router, VPN appliance, and DHCP or DNS server. It is targeted towards small and medium-sized businesses and may appeal to home and business users seeking a reliable firewall appliance with a low total cost of ownership. Storage (without upgrading) is limited to 8 GB of eMMC Flash, which would limit which packages could be installed. Another Netgate option is the SG-1000, which is a bare bones router with only 2 Ethernet ports, 512 MB of RAM and 4 GB of eMMC Flash.
The minimum hardware requirements are general guidelines, and you may want to exceed these minimums based on different factors. It may be useful to consider these factors when determining what CPU, memory, and storage device to use:
- For the CPU, requirements increase for faster internet connections.
The following general guidelines apply: the minimum hardware specifications (Intel/AMD CPU of 500 MHz or greater) are valid up to 20 Mbps. CPU requirements begin to increase at speeds greater than 20 Mbps.
- Connections of 100 Mbps or faster will require PCI-E network adapters to keep up with the increased network throughput.
If you intend to use pfSense to bridge interfaces—for example, if you want to bridge a wireless and wired network, or if you want to use pfSense as a switch—then the PCI bus speed should be considered. The PCI bus can easily become a bottleneck. Therefore, in such scenarios, using PCI-e hardware is the better option, as it offers up to 31.51 GBps (for PCI-e v. 4.0 on a 16-lane slot) versus 533 MBps for the fastest conventional PCI buses.
If you plan on using pfSense as a VPN server, then you should take into account the effect VPN usage will have on the CPU. Each VPN connection requires the CPU to encrypt traffic, and the more connections there are, the more the CPU will be taxed. Generally, the most cost-effective solution is to use a more powerful CPU. But there are ways to reduce the CPU load from VPN traffic. Soekris has the vpn14x1 product range; these cards offload the CPU of the computing intensive tasks of encryption and compression. AES-NI acceleration of IPSec also significantly reduces the CPU requirements.
If you have hundreds of simultaneous captive portal users, you will require slightly more CPU power than you would otherwise. Captive portal usage does not put as much of a load on the CPU as VPN usage, but if you anticipate having a lot of captive portal users, you will want to take this into consideration.
If you're not a power user, 512 MB of RAM might be enough for your pfSense system. This, however, would leave little room for the state table (where, as mentioned earlier, active connections are tracked). Each state requires about 1 KB of memory, which is less memory than some consumer-grade routers require, but you still want to be mindful of RAM if you anticipate having a lot of simultaneous connections. The other components of pfSense require 32 to 48 MB of RAM, and possibly more, depending on which features you are using, so you have to subtract that from the available memory in calculating the maximum state table size:
Installing packages can also increase your RAM requirements; Snort and ntop are two such examples. You should also probably not install packages if you have limited disk space. Proxy servers in particular use up a fair amount of disk space, which is something you should probably consider if you plan on installing a proxy server such as Squid.
The amount of disk space, as well as the form of storage you utilize, will likely be dictated by what packages you install, and what forms of logging you will have enabled. Some packages are more taxing on storage than others. Some packages require more disk space than others. Proxies such as Squid store web pages; anti-spam programs such as pfBlocker download lists of blocked IP addresses, and therefore require additional disk space. Proxies also tend to perform a great deal of read and write operations; therefore, if you are going to install a proxy, disk I/O performance is something you should likely take into consideration.
You may be tempted to opt for the cheapest NICs. However, inexpensive NICs often have complex drivers that offload most of the processing to the CPU. They can saturate your CPU with interrupt handling, thus causing missed packets. Cheaper network cards typically have smaller buffers (often no more than 300 KB), and when the buffers become full, packets are dropped. In addition, many of them do not support Ethernet frames that are larger than the maximum transmission unit (MTU) of 1,500 bytes. NICs that do not support larger frames cannot send or receive jumbo frames (frames with an MTU larger than 1,500 bytes), and therefore they cannot take advantage of the performance improvement that using jumbo frames would bring. In addition, such NICs will often have problems with VLAN traffic, since a VLAN tag increases the size of the Ethernet header beyond the traditional size limit.
The pfSense project recommends NICs based on Intel chipsets, and there are several reasons why such NICs are considered reliable. They tend to have adequately sized buffers, and do not have problems processing larger frames. Moreover, the drivers tend to be well-written and work well with Unix-based operating systems.
For a typical pfSense setup, you will need two network interfaces: one for the WAN and one for the LAN. Each additional subnet (for example, for a guest network) will require an additional interface, as will each additional WAN interface. It should be noted that you don't need an additional card for each interface added; you can buy a multiport network card (most of such cards have either two or four ports). You don't need to buy new NICs for your pfSense system; in fact, it is often economical to buy used NICs, and except in rare cases, the performance level will be the same.
If you want to incorporate wireless connectivity into your network, you may consider adding a wireless card to your pfSense system. As mentioned earlier, however, the likely better option is to use pfSense in conjunction with a separate wireless access point. If you do decide to add a wireless card to your system and configure it for use as an access point, you will want to check the FreeBSD hardware compatibility list before making a purchase.
Once you have chosen your hardware and which version you are going to install, you can download pfSense.
- Browse to the Downloads section of pfsense.org and select the appropriate computer architecture (32-bit, 64-bit, or Netgate ADI), the appropriate platform (Live CD, memstick, or embedded), and you should be presented with a list of mirrors. Choose the closest one for the best performance.
You will also want to download the SHA256 checksum file in order to verify the integrity of the downloaded image. Verifying the integrity of downloads serves two purposes:
- It ensures that the download completed
- It safeguards against a party maliciously tampering with the images
In order to safeguard against the latter, however, be sure to download the checksum from a different mirror site than the site from which you downloaded the image. This provides an additional measure of security should an individual mirror site be compromised.
Windows has several utilities for displaying SHA256 hashes for a file. Under BSD and Linux, generating the SHA256 hash is as easy as typing the following command:
shasum -a 256 pfSense-LiveCD-2.4.2-RELEASE-amd64.iso.gz
This command generates the MD5 checksum for the 64-bit Live CD version for pfSense 2.4.2. You should compare the resulting hash with the contents of the .sha256 file downloaded from one of the (other) mirrors.
- If the system hangs during the boot process, there are several options you can try. The first menu that appears, as pfSense boots, has several options. The last two options are Kernel and Configure Boot Options. Kernel allows you to select which kernel to boot from among the available kernels.
If you have a reason to suspect that the FreeBSD kernel being used is not compatible with your hardware, you might want to switch to the older version. Configure Boot Options launches a menu (shown in the preceding screenshot) with several useful options. A description of these options can be found at: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/. Toggling [A]CPI Support to off can help in some cases, as ACPI's hardware discovery and configuration capabilities may cause the pfSense boot process to hang. If turning this off doesn't work, you could try booting in Safe [M]ode, and if all else fails, you can toggle [V]erbose mode to On, which will give you detailed messages while booting.
- While booting, pfSense provides information about your hardware, including expansion buses supported, network interfaces found, and USB support. When this is finished, the graphical installer will launch and you will see the copyright and distribution notice.
- Select Accept and press Enter to accept these terms and conditions and continue with the installation.
- The installer then provides you with three options: Install pfSense, Rescue Shell, and Recover config.xml. The Rescue Shell option launches a BSD shell prompt from which you can perform functions that might prove helpful in repairing a non-functional pfSense system.
For example, you can copy, delete and edit files from the shell prompt. If you suspect that a recent configuration change is what caused pfSense to break, however, and you saved the configuration file before making the change, the easiest way to fix your system may be to invoke Recover config.xml and restore pfSense from the previously-saved config.xml file.
- The next screen provides keymap options. Version 2.4.2 supports 99 different keyboard layouts, including both QWERTY and Dvorak layouts. Highlighting a keymap option and pressing Enter selects that option. There's also an option to test the default keymap, and an option to continue with the default keymap.
- Select Accept and press Enter when you have selected a keymap.
- Next, the installer provides the following disk partitioning options: Auto (UFS), Manual, Shell, and Auto (ZFS). The first and last options allow you to format the disk with the Unix File System (UFS) and Oracle's ZFS respectively.
- There are advantages and disadvantages to each filesystem, but the following table should help in your decision. Note that both filesystems support file ownership, and file creation/last access timestamps.
August 1983 (with BSD 4.2)
November 2005 (with OpenSolaris)
Maximum volume size
273 bytes (8 zebibytes)
2128 bytes (256 trillion yobibytes)
Maximum file size
273 bytes (8 zebibytes)
264 bytes (16 exbibytes)
Maximum filename length
Support for filesystem-level encryption
- In general, UFS is the tried-and-true filesystem, while ZFS was created with security in mind and incorporates many newer features such as filesystem-level encryption and data checksums.
- Manual, as the name implies, allows you to manually create, delete and modify partitions. There are several choices for partition types; you can even create an Apple Partition Map (APM) or a DOS partition, if that suits you. The Shell option drops you to a BSD shell prompt from which you can also manually create, delete and modify partitions, using shell commands.
- If you chose ZFS, the next screen will present a series of options that allow you to further configure your ZFS volume.
- Pool Type/Disks allows you to select the type of redundancy. The default option is stripe, which provides no redundancy at all. The mirror option provides for duplicate volumes, in which the array continues to operate as long as one drive is functioning. The raid10 option combines mirroring and striping (it is an array of mirrored drives). It requires at least four drives; the array continues to operate if one drive fails; up to half the drives in the RAID can fail so long as they aren't all from the same subset.
- The next three options, raidz1, raidz2, and raidz3, are non-standard RAID options. Like RAID levels 5 though, they achieve redundancy through a parity stripe, although the parity stripe in Z1, Z2 and Z3 are dynamically sized. RAID-Z1 requires at least three disks/volumes and allows one of them to fail without data loss; RAID-Z2 requires four disks/volumes and allows two to fail; RAID-Z3 requires five disks/volumes and allows three to fail.
- If your ZFS RAID is configured correctly, the installer will next present you with a series of ZFS-specific options. You can change the Pool Name (the default is zroot), toggle Force 4K Sectors on or off depending on whether or not you want sectors to align on 4K boundaries, and toggle Encrypt Disks on or off. You can also select a partition scheme for the system.
- The default is GUID Partition Table (GPT), but the legacy Master Boot Record (MBR) is also supported. You can set it up to boot in BIOS mode, Unified Extensible Firmware Interface (UEFI) mode, or, if your system supports it, both modes. UEFI-based systems, by specification, can only boot from GPT partitions, while some BIOS-based systems can boot from GPT partitions (and all BIOS-based systems can boot from MBR partitions). There is also support for the FreeBSD patch that fixes a bug that prevents GPT partitions from booting on some Lenovo systems (GPT + Lenovo Fix). You can also set the Swap Size, toggle Mirror Swap on or off, and toggle Encrypt Swap on or off.
- After you have made all desired modifications you can proceed; the installer will format all selected volumes, extract the archive files and install pfSense. You will also be given an option to open a shell prompt to make any final modifications. Otherwise, you can reboot the system and run the newly installed copy of pfSense.
- If you were unable to install pfSense on to the target media, you may have to troubleshoot your system and/or installation media. If you are attempting to install from the CD, your optical drive may be malfunctioning, or the CD may be faulty.
You may want to start with a known good bootable disc and see if the system will boot off of it. If it can, then your pfSense disk may be at fault; burning the disc again may solve the problem. If, however, your system cannot boot off the known good disc, then the optical drive itself, or the cables connecting the optical drive to the motherboard, may be at fault.
- In some cases, however, none of the aforementioned possibilities hold true, and it is possible that the FreeBSD boot loader will not work on the target system. If so, then you could opt to install pfSense on a different system.
- Another possibility is to install pfSense onto a hard drive on a separate system, then transfer the hard drive into the target system. In order to do this, go through the installation process on another system as you would normally until you get to the Assign Interfaces prompt. When the installer asks if you want to assign VLANS, type n. Type exit at the Assign Interfaces prompt to skip the interface assignment. Proceed through the rest of the installation; then power down the system and transfer the hard drive to the target system. Assuming that the pfSense hard drive is in the boot sequence, the system should boot pfSense and detect the system's hardware correctly. Then you should be able to assign network interfaces. The rest of the configuration can then proceed as usual.
- If you have not encountered any of these problems, the software should be installed on the target system, and you should get a dialog box telling you to remove the CD from the optical drive tray and press Enter. The system will now reboot, and you will be booting into your new pfSense install for the first time.
If installation was successful, you should see a screen similar to the one shown in the following screenshot:
Some of the initial configuration must be done at the console, while some aspects of the configuration, such as VLAN and DHCP setup, can be done from either the console or the web GUI.
Configuration takes place in two phases. Some configuration must be done at the console, including interface configuration and interface IP address assignment. Some configuration steps, such as VLAN and DHCP setup, can be done both at the console and within the web GUI. On initial bootup, pfSense will automatically configure the WAN and LAN interfaces, according to the following parameters:
- Network interfaces will be assigned to device IDs em0, em1, and so on
- The WAN interface will be assigned to em0, and the LAN interface will be assigned to em1
- The WAN interface will look to an upstream DHCP server for its IP address, while the LAN interface will initially be assigned an IP address of 192.168.1.1
You can, of course, accept these default assignments and proceed to the web GUI, but chances are you will need to change at least some of these settings. If you need to change interface assignments, select 1 from the menu.
On boot, you should eventually see a menu identical to the one seen on the CD version, with the boot multi or single user options, and other options. After a timeout period, the boot process will continue and you will get an Options menu. If the default interface assignments are unsatisfactory, select 1 from the menu to begin interface assignment. This is where the network cards installed in the system are given their roles as WAN, LAN, and optional interfaces (OPT1, OPT2, and so on).
If you select this option, you will be presented with a list of network interfaces. This list provides four pieces of information:
- pfSense's device name for the interface (fxp0, em1, and so on)
- The MAC address of the interface
- The link state of the interface (up if a link is detected; down otherwise)
- The manufacturer and model of the interface (Intel PRO 1000, for example)
As you are probably aware, generally speaking, no two network cards have the same MAC address, so each of the interfaces in your system should have a unique MAC address.
- To begin the configuration, select 1 and Enter for the Assign Interfaces option.
- After that, a prompt will show up for VLAN configuration.
- If you wish to set up VLANs, see Chapter 3, VLANs. Otherwise, type n and press Enter. Keep in mind that you can always configure VLANs later on.
- The interfaces must be configured, and you will be prompted for the WAN interface first.
- If you only configure one interface, it will be assigned to the WAN, and you will subsequently be able to log in to pfSense through this port.
This is not what you would normally want, as the WAN port is typically accessible from the other side of the firewall.
- When at least one other interface is configured, you will no longer be able to log in to pfSense from the WAN port. Unless you are using VLANs, you will have to set up at least two network interfaces.
In pfSense, network interfaces are assigned rather cryptic device names (for example, fxp0, em1, and so on) and it is not always easy to know which ports correspond to particular device names. One way of solving this problem is to use the automatic interface assignment feature.
- To do this, unplug all network cables from the system, and then type a and press Enter to begin auto-detection.
- The WAN interface is the first interface to be detected, so plug a cable into the port you intend to be the WAN interface.
The process is repeated with each successive interface.
- The LAN interface is configured next, then each of the optional interfaces (OPT1, OPT2).
- Once you have finished configuration, type y at the Do you want to proceed? prompt, or type n and press Enter to re-assign the interfaces.
- Option two on the menu is Set interface(s) IP address, and you will likely want to complete this step as well. When you invoke this option, you will be prompted to specify which interface's IP address is to be set.
- If you select WAN interface, you will be asked if you want to configure the IP address via DHCP. In most scenarios, this is probably the option you want to choose, especially if pfSense is acting as a firewall. In that case, the WAN interface will receive an IP address from your ISP's DHCP server. For all other interfaces (or if you choose not to use DHCP on the WAN interface), you will be prompted to enter the interface's IPv4 address.
- The next prompt will ask you for the subnet bit count. In most cases, you'll want to enter 8 if you are using a Class A private address, 16 for Class B, and 24 for Class C, but if you are using classless subnetting (for example, to divide a Class C network into two separate networks), then you will want to set the bit count accordingly.
- You will also be prompted for the IPv4 gateway address (any interface with a gateway set is a WAN, and pfSense supports multiple WANs); if you are not configuring the WAN interface(s), you can just hit Enter here.
- Next, you will be prompted to provide the address, subnet bit count, and gateway address for IPv6; if you want your network to fully utilize IPv6 addresses, you should enter them here.
The advantages of IPv6 over IPv4 will be discussed more fully in Chapter 2, Advanced pfSense Configuration.
We have now configured as much as we need to from the console (actually, we have done more than we have to, since we really only have to configure the WAN interface from the console). The remainder of the configuration can be done from the pfSense web GUI.
The pfSense web GUI can only be accessed from another PC. If the WAN was the only interface assigned during the initial setup, then you will be able to access pfSense through the WAN IP address. Once one of the local interfaces is configured (typically the LAN interface), pfSense can no longer be accessed through the WAN interface. You will, however, be able to access pfSense from the local side of the firewall (typically through the LAN interface). In either case, you can access the web GUI by connecting another computer to the pfSense system, either directly (with a crossover cable) or indirectly (through a switch), and then typing either the WAN or LAN IP address into the connected computer's web browser.
- When you initially log in to pfSense, the default username/password combination will be admin/pfsense, respectively.
- On your first login, the Setup Wizard will begin automatically.
- Click on the Next button to begin configuration.
- The first screen provides a link for information about a pfSense Gold Netgate Global Support subscription. You can click on the link to sign up to learn more, or click on the Next button.
- On the next screen, you will be prompted to enter the hostname of the router as well as the domain. Hostnames can contain letters, numbers, and hyphens, but must begin with a letter. If you have a domain, you can enter it in the appropriate field.
- In the Primary DNS Server and Secondary DNS Server fields, you can enter your DNS servers. If you are using DHCP for your WAN, you can probably leave these fields blank, as they will usually be assigned automatically by your ISP. However, your ISP's DNS servers may not be reliable. There are many third party DNS servers available, including OpenDNS (184.108.40.206 and 220.127.116.11) and Google Public DNS (18.104.22.168 and 22.214.171.124). Uncheck the Override DNS checkbox if you want to use third party DNS servers rather than the DNS servers used by your ISP. Click on Next when finished.
- The next screen will prompt you for the Network Time Protocol (NTP) server as well as the local time zone. The NTP server configuration will be covered in greater detail in the next chapter; you can keep the default value for the server hostname for now. For the Timezone field, you should select the zone which matches your location and click on Next.
- The next screen of the wizard is the WAN configuration page.
In most scenarios, you won't need to make any further changes to the WAN in comparison to what was done at the console (at least initially; a multi-WAN setup is more involved and will be discussed more fully in Chapter 9, Multiple WANs).
If you need to make changes, however, there are several options on this page.
- For Selected Type, you have several options, but the most commonly used options are DHCP (the default type) or Static.
If your pfSense system is behind another firewall and it is not going to receive an IP address from an upstream DHCP server, then you probably should choose Static. If pfSense is going to be a perimeter firewall, however, then DHCP is likely the correct setting, since your ISP will probably dynamically assign an IP address (this is not always the case, as you may have an IP address statically assigned to you by your ISP, but it is the more likely scenario).
- The other choices are Point-to-Point Protocol over Ethernet (PPPoE) and Point-to-Point Tunneling Protocol (PPTP). Your ISP may require that you use one of these options for the WAN interface; if you are not sure, check with them.
- If you selected either PPPoE or PPTP, you will have to scroll down to the appropriate part of the page to enter parameters for these connections.
- At a minimum, you will likely have to enter the Username and Password for such connections. In addition, PPTP requires that you enter a local IP address and a remote IP address.
- The dial-on-demand checkbox for PPPoE and PPTP connections allows you to connect to your ISP only when a user requests data that requires an internet connection. Both PPPoE and PPTP support an Idle timeout setting, which specifies how long the connection will be kept open after transmitting data when this option is invoked. Leaving this field blank disables this function.
- We can now turn our attention to the General Configuration section. The MAC address field allows you to enter a MAC address that is different from the actual MAC address of the WAN interface.
This can be useful if your ISP will not recognize an interface with a different MAC address than the device that was previously connected, or if you want to acquire a different IP address (changing the MAC address will cause the upstream DHCP server to assign a different address).
- If you use this option, make sure the portion of the address reserved for the Organizationally Unique Identifier (OUI) is a valid OUI – in other words, an OUI assigned to a network card manufacturer. (The OUI portion of the address is the first three bytes of a MAC-48 address and the first five bytes of an EUI-48 address).
- The next few fields can usually be left blank. Maximum Transmission Unit (MTU) allows you to change the MTU size if necessary. DHCP hostname allows you to send a hostname to your ISP when making a DHCP request, which is useful if your ISP requires this.
- The Block RFC1918 Private Networks checkbox, if checked, will block registered private networks (as defined by RFC 1918) from connecting to the WAN interface. The Block Bogon Networks option blocks traffic from reserved and/or unassigned IP addresses. For the WAN interface, you should check both options unless you have special reasons for not invoking these options. Click the Next button when you are done.
- The next screen provides fields in which you can change the LAN IP address and subnet mask, but only if you configured the LAN interface previously.
- You can keep the default, or change it to another value within the private address blocks. You may want to choose an address range other than the very common 192.168.1.x in order to avoid a conflict.
- Be aware that if you change the LAN IP address value, you will also need to adjust your PC's IP address, or release and renew its DHCP lease when finished with the network interface. You will also have to change the pfSense IP address in your browser to reflect the change.
- The final screen of the pfSense Setup Wizard allows you to change the admin password, which you should do now.
- Enter the password, enter it again for confirmation in the next edit box, and click on Next.
- Later on, you can create another administrator account with a username other than admin and disable the admin account, for additional security, unless you plan on setting up multiple firewalls for high availability, in which case you will need to retain the admin account.
- On the following screen, there will be a Reload button; click on Reload. This will reload pfSense with the new changes.
- Once you have completed the wizard, you should have network connectivity. Although there are other means of making changes to pfSense's configuration, if you want to repeat the wizard, you can do so by navigating to System | Setup Wizard. Completion of the wizard will take you to the pfSense dashboard.
By now, both the WAN and LAN interface configurations should be complete. Although additional interface configurations can be done at the console, it can also be done (and somewhat more conveniently so) in the web GUI.
- To add optional interfaces, navigate to the Interfaces | Assignments tab, which will show a list of assigned interfaces, and at the bottom of the table, there will be an Available network ports option.
- There will be a corresponding drop-down box with a list of unassigned network ports. These will have device names such as fxp0, em1, and so on.
- To assign an unused port, select the port you want to assign from the drop-down box, and click on the + button to the right.
- The page will reload, and the new interface will be the last entry in the table. The name of the interface will be OPTx, where x equals the number of optional interfaces.
- By clicking on interface name, you can configure the interface.
Nearly all the settings here are similar to the settings that were available on the WAN and LAN configuration pages in the pfSense Setup Wizard.
Some of the options under the General Configuration section, that are not available in the Setup Wizard, are MSS (Maximum Segment Size), and Speed and duplex. Normally, MSS should remain unchanged, although you can change this setting if your internet connection requires it.
- If you click on the Advanced button under Speed and duplex, a drop-down box will appear in which you can explicitly set the speed and duplex for the interface. Since virtually all modern network hardware has the capability of automatically selecting the correct speed and duplex, you will probably want to leave this unchanged.
- The section at the bottom of the page, Reserved Networks, allows you to enable Block private networks and loopback addresses and Block bogon networks via their respective checkboxes. Although these options are checked by default when configuring the WAN interface, we normally want to allow private networks on internal interfaces, so these options are normally not enabled when configuring non-WAN interfaces.
- If you chose an option other than Static for the Configuration Type, then other options will appear.
Since it is unlikely that internal interfaces will be configured as such, further discussion of these options will take place in the next section on WAN configuration.
Most likely, you won't have to do any additional configuration for the WAN interface; the configuration done in the Setup Wizard will be enough to get you started. If you need to make changes, however, follow these steps:
- Navigate to Interfaces | WAN in the main menu.
- The most likely scenario is that your ISP will provide an IP address via DHCP, but many providers will provide you with a static IP address if you require one. In such cases, you will need to set your Configuration Type to Static and then enter your WAN IP address and CIDR under either the Static IPv4 Configuration or Static IPv6 Configuration (or possibly both, if you plan to have both an IPv4 and IPv6 address).
- You will also need to specify your ISP's gateway, which you can do by clicking on the Add a new gateway button. A dialog box will appear in which you can enter the IP address and a description.
- If you have selected DHCP as the configuration type, then there are several options in addition to the ones available in the Setup Wizard. Clicking on the Advanced checkbox in the DHCP client configuration causes several additional options to appear in this section of the page.
- The first is Protocol Timing, which allows you to control DHCP protocol timings when requesting a lease. You can also choose several presets (FreeBSD, pfSense, Clear, or Saved Cfg) using the radio buttons on the right.
- There is also a Configuration Override checkbox which, if checked, allows you to specify the absolute path to a DHCP client configuration file in the Configuration Override File edit box. If your ISP supports pfSense, it should be able to provide you with a valid configuration override file.
- If the Configuration Override checkbox is not checked, there will be three edit boxes in this section under the checkboxes. The first is Hostname; this field is sent as a DHCP hostname and client identifier when requesting a DHCP lease. Alias IPv4 address allows you to enter a fixed IP address for the DHCP client. The Reject Leases from field allows you to specify the IP address or subnet of an upstream DHCP server to be ignored.
- The next section is Lease Requirements and Requests. Here you can specify send, request, and require options when requesting a DHCP lease. These options are useful if your ISP requires these options. The last section is Option Modifiers, where you can add DHCP option modifiers, which are applied to an obtained DHCP lease.
- Starting with pfSense version 2.2.5, there is support for IPv6 with DHCP (DHCP6). If you are running 2.2.5 or above, there will be a section on the page called DHCP6 client configuration.
- Similar to the configuration for IPv4 DHCP, there are checkboxes for Advanced Configuration and Configuration Override.
- Checking the Advanced checkbox in the heading of this section displays the Advanced DHCP 6 options:
- If you check the Information Only checkbox on the left, pfSense will send requests for stateless DHCPv6 information.
- You can specify Send and Request options, just as you can for IPv4.
- There is also a Script field where you can enter the absolute path to a script that will be invoked on certain conditions.
- The next options are for the Identity Association Statement checkboxes. The NonTemporary Address Allocation checkbox results in normal, that is, not temporary, IPv6 addresses to be allocated for the interface. The Prefix Delegation checkbox causes a set of IPv6 prefixes to be allocated from the DHCP server.
- The next set of options, Authentication Statement, allows you to specify authentication parameters to the DHCP server. The Authname parameter allows you to specify a string, which in turn specifies a set of parameters.
- The remaining parameters are of limited usefulness in configuring a DHCP6 client, because each has only one allowed value, and leaving them blank will result in only the allowed value being used. If you are curious as to what these values are here they are:
- Finally, Key info Statement allows you to enter a secret key. The required fields are key id, which identifies the key, and secret, which provides the shared secret. key name and realm are arbitrary strings and may be omitted. expire may be used to specify an expiration time for the key, but if it is omitted, the key will never expire.
- If you do not check the configuration override checkbox (in which case you will specify a configuration override file, similar to how this option works with DHCP over IPv4), there will be several more options in this DHCP Client Configuration section . Use IPv4 connectivity as parent interface allows you to request an IPv6 prefix over an IPv4 link.
- Request only an IPv6 prefix allows you to request just the prefix, not an address. DHCPv6 Prefix Delegation size allows you to specify the prefix length.
- You can check the Send IPv6 prefix hint to indicate the desired prefix length, Debug for debugging, and select Do not wait for an RA (router advertisement) and/or Do not allow PD/Address release, if your ISP requires it.
- The last section on the page is identical to the interface configuration page in the Setup Wizard, and contains the Block Private Networks and Block Bogon Networks checkboxes.
You can find several configuration options under System | General Setup. Most of these are identical to settings that can be configured in the Setup Wizard (Hostname, Domain, DNS servers, Timezone, and NTP server). There are two additional settings available:
- The Language drop-down box allows you to select the web configurator language.
- Under the Web Configurator section, there is a Theme drop-down box that allows you to select the theme. The default theme of pfSense is perfectly adequate, but you can select another one here. There are several new theme options available for version 2.4, so if you have not tried these, you may want to do so.
pfSense 2.3 added new options to control the look and feel of the web interface and 2.4 has added some more; these settings are also found in the Web Configurator section of the General Settings page:
- The top navigation drop-down box allows you to choose whether the top navigation scrolls with the page, or remains anchored at the top as you scroll.
- The Hostname in the Menu option allows you to replace the Help menu title with the system name or fully qualified domain name (FQDN).
- The Dashboard Columns option allows you to select the number of columns on the dashboard page (the default is 2).
- The next set of options is Associated Panels Show/Hide. These options control the appearance of certain panels on the Dashboard and System Logs page. The options are:
- Available Widgets: Checking this box causes the Available Widgets panel to appear on the Dashboard. Prior to version 2.3, the Available Widgets panel was always visible on the Dashboard.
- Log Filter: Checking this box causes the Advanced Log Filter panel to appear on the System Logs page. Advanced Log Filter allows you to filter the system logs by time, process, PID, and message.
- Manage Log: Checking this box causes the Manage General Log panel to appear on the System Logs page. The Manage General Log panel allows you to control the display of the logs, how big the log file may be, and the formatting of the log file, among other things.
- Monitoring Settings: Checking this box causes the Settings section to appear on the Status | Monitoring page, which allows custom configuration of the interactive graph on that page.
- The Require State Filter checkbox, if checked, causes the state table in Diagnostics | States to only appear if a filter is entered.
- The last option on this page, Left Column Labels, allows you to select/toggle the first item in a group by clicking on the left column if checked.
- The last three options on the page were added with version 2.4:
- The Alias Popups checkbox, if checked, will disable showing the details of an alias in alias popups that appear when dragging the mouse over an alias on the Firewall page.
- The Login page color drop-down box allows you to customize the login page color; the current default color is blue.
- Finally, the Login hostname checkbox, when checked, will display the hostname on the login page. Having the hostname on the login page can be a helpful reminder if you are managing a large network with several firewalls, but it also potentially gives away what network is being secured.
- Click on Save at the bottom of the page to save any changes.
The goal of this chapter was to provide a brief overview of how to get pfSense up and running. Completion of this chapter should give you an idea of where to deploy pfSense on your network, as well as what hardware to utilize. You should also know how to troubleshoot common installation problems and how to do basic system configuration in the most common deployment scenarios.
We have barely scratched the surface here, however, and in the next chapter we will cover some of the more advanced configuration options. We will cover DHCP and DHCPv6, DNS and Dynamic DNS, as well as other capabilities you are likely to consider utilizing, such as captive portal, the Network Time Protocol (NTP), and the Simple Network Management Protocol.
The learning curve becomes somewhat steeper after this chapter, but fear not: if you have a solid understanding of computer networks and how they work, mastering pfSense can be both educational and fun.
Answer the following questions:
- What term is used to refer to a network that is separate from the rest of the local network and provides services to users outside of the local network?
- What are the minimum specifications for pfSense in terms of CPU, RAM and disk space?
- How much memory does a state table entry require?
- Why is it a good idea to use checksums?
- What is the best filesystem choice for an organization that (a) requires support for filesystem-level encryption and data deduplication? (b) requires maximum backward compatibility?
- Identify the two places from which interface assignment can be done in pfSense.
- Identify at least four different valid configuration types for a pfSense interface.
- What is the default setting for Block Private Networks and loopback addresses (a) on the WAN interface? (b) an the LAN interface? (c) why?
- Identify two places within the web GUI where the time zone can be set.
- Identify at least three parameters that can be set in the Setup Wizard.
- The official pfSense documentation wiki is a good place to get started. There you will find a guide for downloading and installing pfSense, a features list, a packages list and documentation for packages, as well as an FAQ document. You can find the wiki at: https://doc.pfsense.org/index.php/Main_Page.
- During the WAN and LAN configuration, you may have noticed the description of block private addresses and loopback addresses makes reference to RFC 1918 and RFC 4193. RFC stands for Request for Comments; these are documents published by the Internet Engineering Task Force (IETF), and in spite of their deceptively informal title, RFCs are actually specifications and standards for internet-related technologies. RFC 1918 and 4193, for example, describe private addressing for IPv4 and IPv6 networks respectively. If you wish to read an RFC, navigate to: https://tools.ietf.org/html/, which allows you to retrieve RFCs by numbers or draft names.