InstallingandconfiguringpfSense

30 min read / Articles

Share


1
Introduction
2
Hardware Requirements
3
Installing pfSense CE
4
pfSense Interface
5
Diagnostics
6
Advanced Settings
7
Updating
8
Internal Routing
9
SSL
10
Additional Features
11
Conclusion
Introduction

What Exactly is pfSense?

The multifunctional pfSense software router/firewall developed by Netgate, based on the FreeBSD
operating system.
pfSense is available in several versions: the software-based Community Edition (CE) and as a NetGate
hardware appliance. Commercial support for the Community Edition ranges from $400 to $800
annually. In 2021, pfSense Plus Software was launched, which is now the focus for developing new
features.
pfSense features a modular architecture and comes with its own package manager. Key features
include routing (dynamic included), firewall capabilities, NAT, DHCP server, load balancing, VPN
(including OpenVPN and L2TP), dDNS, PPPoE, IDS, proxy, and more. Support for building fault-
tolerant clusters is provided. It includes built-in monitoring, logging, and reporting capabilities.
Many organizations and home offices use pfSense for their Internet connectivity needs. The free
Community Edition, which lacks technical support, is frequently utilized.
Since its inception in 2004, the product has become mature and stable. This maturity often allows
using the free Community Edition without technical support.

HardwareRequirements
The Community Edition can be installed on both bare metal and virtual machines. Hardware
requirements vary with network interface speeds –ranging from a minimum of 500 MHz/512 MiB
for 10 Mbps to a multi-core 2+ GHz/2 GiB for 1 Gbps.
Utilizing additional features and modules requires more CPU cores and more RAM. For commonly
used connections at 100 Mbps, 1 GHz/1 GB is recommended. For higher speeds, a PCIe bus is also
necessary to avoid bottlenecks.
Disk size requirements are minimal but depend on the functionalities used; the minimum size is 8
GB. Moreover, since pfSense is based on FreeBSD, the compatible hardware list is determined by
what FreeBSD supports.

InstallingpfSenseCE
We will show how to install, configure, and operate pfSense using a virtual machine in
the Servercore cloud. For our setup, we will create a lab with two machines: one running pfSense
with both external and internal interfaces, and another serving as a desktop client with an internal
interface.
 pfSense is a custom solution deployed on the Servercore cloud platform, presenting several unique
challenges.
As of the year 2021:
 In the installation image settings, specify “Linux” instead of “Other” to avoid the “Internal error
Invalid image metadata. Error: Field value other is invalid”).
 The distribution only works with network disks and cannot be installed on servers that use local
disks.
 It’s also impossible to combine installation via an image in the control panel with selecting two
network interfaces at the same time.
Workarounds include creating a machine with two interfaces and connecting the installation ISO via
OpenStack CLI, or installing with one network interface and later adding a second one. The latter
method is simpler and will be what we use.

Loading the Image

On the pfSense CE download page, select the AMD64 (64-bit) architecture and the DVD Image
(ISO) type.

Verify the integrity of the downloaded archive and then unpack it:
$ sha256sum=($(sha256sum Download/pfSense-CE-2.5.2-RELEASE-amd64.iso.gz)) &&
[ “$sha256sum” ==
“0266a16aa070cbea073fd4189a5a376d89c2d3e1dacc172c31f7e4e75b1db6bd” ] && echo “Ok” ||
echo “Something wrong”
$ gunzip Download/pfSense-CE-2.5.2-RELEASE-amd64.iso.gz

View the sha256 checksum

value 0266a16aa070cbea073fd4189a5a376d89c2d3e1dacc172c31f7e4e75b1db6bd on the
download page. This example applies to the current version 2.5.2 at the time of writing.

Next, create and upload the image to the storage repository via the control panel, selecting Linux
OS:

Installation and Initial Set Up of pfSense

In the Cloud Platform servers section, click the “Create Server” button at the top right (or center if
it’s the first one). Select some bottom-tier configuration (1 vCPU/512 MiB RAM/5 GiB Storage) –
enough for testing purposes; system requirements for other scenarios are detailed above.

At this stage, set the network as “New Private Network” – it will be internal with the address
192.168.1.0/24. Assign the name int_net and disable DHCP. The gateway setting does not impact
anything in this case, but it cannot be removed.

After entering the necessary parameters, click the “Create” button. The server will be configured
and available within 30 seconds. If you accidentally closed the tab where the machine was being
created – no worries, the server can be accessed in the global “Servers” section. To interact with the
server console, navigate to its card under the “Servers” tab and open the “Console” item.
Read and accept the copyright terms.
Select the installation mode. At this stage, you can also activate the built-in recovery mode.

The system console will not be visible to regular users, so changing the localization is unnecessary –
you can leave it at default.
Depending on the hardware architecture, choose the boot and partitioning method; for VMs, select
BIOS.

Observe the installation process.

Upon completion of installation, the following window will appear.

By clicking “Yes“, you will be taken to the Shell. Here, you can manually adjust any system settings.
Once the setup is complete, return to the installation program by executing the “exit” command.
Normally, no changes are needed at this stage; simply click “No“.

Network Setup
For our lab, we will need one external and one internal network – add a second interface for this
purpose. Launch the shell by clicking “Shell“.
Then issue the shutdown command:
# poweroff
In real life, this step would not be necessary when installing on your own server.
In the global “Servers” tab, the virtual machine will feature a SHUTOFF status.
Next, we’ll explore a scenario of connecting to an ISP by IP, where we are assigned a network with
a /29 mask (the smallest available on the Servercore cloud platform).
Navigate to the global “Network” -> “Public Subnets” panel and click “Create Subnet“.
In the control panel, you can choose among masks ranging from /29 to /27. If your ISP has provided
a network with a /30 mask, your connection and setup process will be similar.
At this stage, the system will allocate a network (in this example, 94.26.250.176/29) and set a default
gateway (94.26.250.177). This will be necessary for configuring the WAN interface later on. In a real-
world scenario, this would be your ISP’s gateway address.
Add a new network to our server by navigating to “Servers” -> “Ports” -> “Add Port” -> “Select
Network” -> “Add Port“.

The system has assigned an address (94.26.250.178) to our server. It now has two interfaces as a
true internet gateway should – an external one included in the global network and an internal one in
our local network.
The Servercore Cloud Platform does not support VLAN; we do not use it and proceed to configure
interfaces.
With interface vtnet0, our server faces inward towards the network, while vtnet1 faces outward.

Press “y” to apply settings and continue with installation.

In the pfSense console, assign the previously issued external address to the WAN interface.

Item 2-Set Iface IP -> 1-WAN -> DHCP -> N -> Enter IP-Address -> Enter mask -> Enter gateway.
Next, you will be prompted to modify IPv6 settings. In our scenario, no changes are needed to IPv6
settings.
Confirm by answering “Yes” to “Do you want to revert to HTTP as the webConfigurator protocol?”
and wait 3-4 seconds for the configuration to apply.
Verify that the ISP gateway is accessible (this option is available in step 7).
After selecting “Ping host“, enter either the ISP’s gateway address or, in our lab scenario, that of the
platform.

Test Client
Next, we’ll add a test machine (Ubuntu 18/1 vCPU/2 GB RAM/8 GB Storage) to our lab. This machine
will simulate our user and connect to the Internet via pfSense. We’ll also use this machine to
continue configuring pfSense.
All that’s needed from this machine is a browser. Take a ready-made Ubuntu 18 image and add a
graphical interface to it. To access repositories, temporarily connect the machine directly to an
external network.
Click “Create“, wait 15-20 seconds for the server to initialize, then connect to its console.
If an internal network (int_net) was used during machine creation, either recreate the machine
entirely or replace that network interface with an external one before proceeding with operations
on the machine.
# ip link set eth0 down
# ip addr add 94.26.250.179/29 dev eth0
# ip link set eth0 up
# ip route add default via 94.26.250.177 dev eth0
# ping 94.26.250.177
# ping ya.ru

OS Update
Even though it’s just a test machine, start by updating it:
# apt-get update -y && apt-get upgrade -y

If the kernel has been updated, the machine should be rebooted.

GUI Installation
Graphics customization is beyond the scope of this article, more details can be found on thematic
sites, the list of commands may be as follows.
# apt install tasksel slim -y
# tasksel install ubuntu-desktop
# adduser myuser
# systemctl start slim
On the graphical part: on Servercore platform you can use Alt+Left/Right Arrow or F1 combination
to switch between VM consoles, the usual Ctrl+Alt+Fn may not work.
This is also where a regular user is created to prevent further work with root access rights.
Switching the Network Interface
After launching the GUI, we move our desktop to the internal network, for which we remove the
external interface on the “Ports” tab of the server and connect the internal network – int_net (it is
better to do it on a switched-off machine – systemctl poweroff).
Since the image is taken from the Servercore repository, it is customized to interact with that
platform and gets its network configuration from it.
In our lab this is not needed, our DHCP runs on pfSense and it is up to it to set the client’s network
parameters. The behavior of the guest machine is changed by a command.
$ sudo touch /etc/cloud/cloud-init.disabled

Netplan should not be used in the cloud platform, so we’ll edit the file to enable DHCP on the
machine interface.
/etc/network/interfaces.d/50-cloud-init.cfg

Change it as follows:
Check:
You can view the current IP address with the “ip a[address]” command, and check the settings
received from the DHCP server with the command.
less /var/lib/dhcp/dhclient.<iface>.leases

You can find out the address of the DHCP server like this:

If for some reason DHCP was enabled on the int_net network when the machine was created, DHCP
on this network must be turned off before shutting down or rebooting the machine. Otherwise, the
host 192.168.1.2 or .3 will distribute addresses. After that, configure the cloud-init and network
interface settings as above.

9 Steps of the pfSense Setup Wizard

Launch the browser, go to 192.168.1.1 – we find ourselves in the web interface of pfSense. Enter the
default name/password (admin/pfsense), and a 9-step configuration wizard will start. Only a small
number of settings need to be changed during basic setup.

The banner at the top reminds you to change the default password to your own. At step 6, the setup
wizard will prompt you to change your password, so you can ignore the banner for now.
You will see the welcome message of the Setup Wizard.

Step 1. Start setting up

Step 2. Specify the gateway name and domain
In the wizard we specify the name and domain of our gateway (step 2, e.g., mygw02 & myorg.ru),
DNS servers (e.g., dns.google – 8.8.4.4 & 8.8.8.8).

Step 3. Setting up time synchronization

Set up time synchronization via NTP and select your time zone: you can either keep the default
server or choose one according to your preferences with an appropriate stratum (level 3 is
sufficient).

Step 4. Setting up PPPoE

There’s usually no need to make any changes at this step. Specify the upstream gateway if it hasn’t
been set earlier in addition to the external address. Here, configure the PPPoE settings if your ISP
requires them. Some providers require a connection from a specific MAC address, which can also be
specified at this step.

Step 5. Configuring the internal interface

This concerns configuring the internal interface. It’s already configured on our end, so let’s proceed
to the next step.

Step 6. Admin password

At this step, you will be prompted to change the administrator password:
No verification is done to check if it matches the previous password, including the default one. You
can technically reuse an old password, but for security reasons, it’s advisable to set a strong one.

Step 7. Applying settings

You will then be prompted to apply the settings.

Step 8. Continuing to apply of settings

Step 9. Setup complete

Click “Finish” – the setup wizard has successfully completed its task. At this stage, pfSense is ready to
function as a basic Internet gateway – you can now use a browser to access a search engine and run
a network speed test.

In the future (for example, after resetting to factory settings: Diagnostics -> Factory Defaults), you
can restart the wizard from the System -> Setup Wizard menu.

pfSenseInterface
Upon connecting to the router, the first thing displayed is the dashboard, which may appear as
follows:

The dashboard may take some time to render.

The dashboard is highly customizable – you can add new elements, remove unused ones, and adjust
existing ones.
 Menu structure
pfSense offers numerous functions, with settings organized into groups:
 The pfSense logo button takes you back to the dashboard.
 System – general system settings, including routing management, certificates, updates, and a
package manager.
 Interfaces – mapping and setting up interfaces.
 Firewall – configuring NAT and firewall rules, traffic shaping is also configured here.
 Services – additional functions run by separate daemons (DHCP Server/Relay, DNS; NTP, SNMP, etc.),
including those installed from the package manager (Squid, Snort, Nagios (NRPE), and Zabbix
agents).
 VPN – settings for remote access services (IPsec, L2TP, OpenVPN) are found here.
 Status – displays current component status including counters, real-time values, monitoring graphs,
and system logs.
 Diagnostics – various diagnostic tools available (backup/restore, shutdown/restart,
ping/traceroute/DNS lookup, and more).
 Mygw02.myorg.ru acts like a help/about button.

Theme change
Many prefer “dark” themes available in pfSense under System -> General Setup in
the webConfigurator section:

The article will alternate between using the default dark and light themes.

Localization
The System -> General Setup section’s Localization section allows you to switch the web interface’s
language via the Language parameter.
Diagnostics
Initial diagnostics typically start with analyzing system and component logs, followed by assessing
historical system load over a specific period, such as the last day or hour.

System Logs
Accessible via the Status -> System Logs tab. There are numerous logs, but they are organized by
category. Logs under Status/System Logs/System/General and Status/System Logs/Firewall will be
of primary interest.

Load Charts
Assessing system load is conveniently done graphically in the Status/Monitoring section.

Further diagnostics involve careful analysis of counter values on the “Statuses” tab and using
diagnostic tools on the “Diagnostics” tab.

Password Reset
If you lose your pfSense password, it can be reset to default via console option 3 (Reset
webConfigurator password).

AdvancedSettings

Firewall Rules
Default settings prevent connections to pfSense from external networks and allow client access
outward using NAT translation (specifically dynamic NAT or NAPT as per RFC 2663, also known as
NAT overload or PAT).
For instance, create an allow rule for connecting to pfSense from home on the WAN interface, then
limit user connections to only browsing on the LAN interface.
pfSense features a handy mechanism for defining variables through aliases; let’s create one for our
home office and tcp ports 80/443 and enable packet logging. Under Firewall’s Aliases menu on the
default IP tab, click the +Add button:

This opens an alias editor for IP addresses:

In the editor, assign a name to the alias, select its type (Host(s)), and add IP addresses.
Similarly on the Ports tab, create a service rule.
Provide a descriptive name, add a description, and enter one or more ports:

The tooltip provides a convenient method for creating an alias for a range of ports.
To configure this setting, navigate to Firewall/Rules/.
Now when creating or editing rules, we can utilize aliases. This is particularly useful when a setting is
reused across multiple rules and occasionally changes.
In such cases, only one alias needs adjusting.
In the earlier example, we selected previously defined aliases for both source address and
destination ports.
After making adjustments, remember to click Apply Changes. Now you can test the connection.
Similarly, create a rule for surfing on the LAN interface:
Next on this interface create rules for DNS (udp:53) and optionally for easier diagnostics ICMP (just
echo request, echo reply is enough).
Now disable default rules by clicking on the green checkmark (1), Save (2 if rule order has changed),
and Apply Changes(3):
Check access to websites and then to non-standard ports using portquiz.net:
Ping is working, domain names are resolved, HTTP over TCP/80 is open, but the connection fails on
the non-standard port TCP/8080.
This is also documented in the log:
Thus, we have accomplished the task of providing access to web resources and blocking unwanted
resources on other ports.

Port Forwarding
A frequent task involves publishing a service hosted on a local network, such as a mail or web server.
Test Web Server
While this topic isn’t related to pfSense, our lab currently lacks any resources for publication, so let’s
create one.

apt install apache2 php libapache2-mod-php

In the /var/www/html directory, create a file named demo.php with the following contents:
<?php
phpinfo();
?>
With the test server now set up, all that remains is to ensure the web server is operational:

systemctl status apache2

Configuring NAT on pfSense

This is done through the Firewall menu. Previously, we used the standard HTTP port for remote
connections to pfSense, so we’ll demonstrate port forwarding for a different port (TCP:8080) and
change its number.
As you can see, setting this up is quite straightforward. pfSense listens on TCP port 8080 and
forwards it to TCP:80 of the test host 192.168.1.3, where we previously deployed the web server.
It’s highly recommended to document all rules, as their number may grow over time and become
difficult to manage.

Verification
Check our settings by accessing the WAN address of pfSense at port 8080.
The internal web server has responded at the public address. Adding the title of the demo page, we
see that it has also been successfully published.

Updating
pfSense is a multifunctional and user-friendly tool. Updates are easily performed either in
the System Information section on the dashboard or through the System -> Update menu.
Our system was installed from the latest distribution and is already up to date; no updates are
necessary. Updates are typically released every six months.
If you’re ready to experiment, you can update to the experimental branch.
Here’s what updating from the previous version looks like (2.4.5):

Once the process is complete, the system will automatically reboot:

Following the reboot, the console displays the unpacking and installation of updated packages:
It’s also advised to disable Hardware Checksum Offloading for Realtek adapters.
InternalRouting
If the internal network is segmented, pfSense should be configured to use the appropriate routes.
Static routing is available right out of the box, configurable via the System -> Routing menu.
First, create an internal gateway(s), such as myIntGW, under System -> Routing -> Gateways tab,
then add the route under System -> Routing -> Static Routes tab:

After configuring the settings, remember to click the “Apply changes” button.
Dynamic routing scenarios require installing an additional package like frr (Free Range Routing),
which supports numerous protocols including GP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR,
OpenFabric and VRRP.
After the package is installed, protocol configuration sections such as FRR-OSPF are added to the
Services menu:

Before setting up dynamic routing in Global Settings, activate FRR and set up the mandatory master
password:
SSL
The management interface can be swtiched between HTTP and HTTPS via the Advanced section of
the System menu.

Upon installation, a self-signed certificate valid for 13 months is generated.

From the same menu, clicking the Add/Sign button allows you to submit a request to a corporate
certification center and then install the received certificate or reissue the self-signed certificate for a
different term.
Typically, the pfSense interface is only accessible from within the internal network and does not
allow direct external access. If you need it accessible from the outside, disable the Anti-Lockout Rule
found in System/Advanced/Admin Access/webConfigurator for the LAN interface.
Access from the WAN requires a previously created rule on the WAN interface. Using a certificate
issued by a publicly trusted certification authority like Let’s Encrypt is also convenient. Given that
such a certificate only lasts 90 days, frequent renewal is necessary.
The acme package in this repository helps automate certificate renewal:
Bandwidth Restriction
In some organizations, certain users must be allowed unlimited internet access. This can lead to
congestion of the entire channel and disrupt other users and services. Bandwidth limitation can help
address this issue. The Shaper offers numerous settings; let’s explore one of its common usage
scenarios.
It’s located under Firewall > Traffic Shaper in the Limiters tab.
Let’s measure the current speed.
As mentioned earlier, navigate to Traffic Shapers under the Firewall menu, select the Limiters tab,
and create 2 limiters.

Activate the rule (1), assign an easy-to-understand name (2), and set the bandwidth (3). Separate
rules are established for download and upload limits (4).
The shaper is directly activated within the firewall rules (Firewall → Rules). We want to restrict
outbound traffic from our internal clients, so let’s modify/add rules for the LAN interface accordingly.
Limits names are taken from the perspective of the interface side: In – incoming traffic, Out –
outgoing traffic. To restrict outbound client traffic, use the In rule.
Open the Rules section under the Firewall menu, navigate to the LAN tab and, in the Extra
Options section of the required (newly created or existing) rule, enable advanced settings display
(Display Advanced button):
Note: The example shown above uses an existing rule that permits internal clients to connect via
HTTPS.
In the second-from-last section of Advanced Settings (1, In/Out pipe), specify the rules for traffic
incoming to the interface (2) and outgoing from it (3).
 After saving and applying settings, pfSense notifies of the need to reload filtering rules in the
background and suggests checking the status on the Status/Filter Reload page.
Following rule updates, let’s take another speed test.

AdditionalFeatures
pfSense’s functionality is expanded by numerous packages available through its package manager;
here are just a few:
 apcupsd – a daemon for interfacing with APC UPSes (now Schneider);
 arpwatch – monitors MAC/IP address activity;
 cron – a scheduling tool;
 filer – a file manager;
 squid/lightsquid/squidGuard – proxy, report generator, and filter.
 lldpd – supports discovery via Link Layer Discovery Protocol and also supports proprietary protocols
such as CDP, EDP, FDP, NDP.
 mailreport – sends reports via email.
 net-snmp – SNMP graphical interface.
 nmap – the classic tool for network scanning.
 snort/suricata/zeek – solutions for IDS/IPS systems.
It’s important to understand that using these features requires better hardware. Heavy VPN use may
necessitate one or more additional CPU cores, while IDS/IPS systems will also need an extra 1-2 GB
of RAM.
Let’s demonstrate enhanced functionality using the popular nmap scanner. In the System menu,
navigate to Package Manager, select the Available Packages tab, click Install next to the NMap
package, wait, and access the built-in scanner:
NMap is now available in the Diagnostics menu; launch it:
Our lab’s internal segment contains only one host, which was successfully detected and scanned:
Conclusion
This article presents an overview of pfSense, a solution for implementing a high-performance,
reliable, and functional software router. We learned how to install, configure, throttle speed, and
enhance functionality by installing extension packages.