pfSense Firewall Installation

pfSense is a free, open-source firewall and router based on FreeBSD, providing enterprise-class network security and management capabilities. While primarily run on dedicated hardware or virtualized environments, pfSense can be deployed as a virtual appliance in many hosting environments. This comprehensive guide covers installation prerequisites, initial configuration, network interface setup, firewall rule creation, NAT configuration, VPN setup, and package installation for extended functionality.

Table of Contents

• System Requirements
• Installation
• Initial Configuration
• Network Interface Configuration
• Firewall Rules
• NAT Configuration
• VPN Setup
• Package Management
• Dashboard and Monitoring
• Advanced Features
• Conclusion

System Requirements

pfSense has specific hardware and deployment requirements. Ensure these prerequisites are met:

• 64-bit Intel or AMD processor
• Minimum 1 GB RAM (4 GB+ recommended for production)
• 4 GB disk space (larger for high-traffic deployments)
• Network interfaces: 2 minimum (WAN, LAN), 3+ for complex topologies
• USB drive or ISO for installation
• Serial console or KVM access for installation and troubleshooting

pfSense does not run on Linux; it requires FreeBSD. However, it can be deployed on:

• Dedicated hardware with compatible network cards
• Virtualized environments (KVM, VirtualBox, Hyper-V, ESXi)
• Cloud instances (AWS, Linode, etc.)
• Container environments with appropriate support

Installation

pfSense is installed from an ISO image. Download the latest version from https://www.pfsense.org/download/

Create a bootable USB drive:

For Linux:

wget https://mirror.netgate.com/downloads/pfSense-CE-latest.iso.gz
gunzip pfSense-CE-latest.iso.gz
sudo dd if=pfSense-CE-latest.iso of=/dev/sdX bs=4M status=progress
sudo sync

For virtualized deployment (KVM):

wget https://mirror.netgate.com/downloads/pfSense-CE-latest.iso.gz
gunzip pfSense-CE-latest.iso.gz
qemu-img create -f qcow2 pfsense.qcow2 4G

Boot from the USB drive or ISO and follow the installation prompts:

1. Select Installation type (UFS, ZFS filesystem)
2. Partition the disk
3. Select installation mode
4. Reboot into the installed system

After installation, the system provides a console menu:

pfSense 2.6.0 | FreeBSD 12.3-RELEASE
options:
1. Assign Interfaces
2. Set Hostname, Domain, DNS, IP address
3. Reset webConfigurator password
4. Reset to Factory Defaults
5. Reboot System
6. Halt System
7. Ping Host
8. Shell
9. Update System
10. Exit to shell prompt

Initial Configuration

Start the initial configuration process:

Select option 1 - Assign Interfaces:

If you already know the IP addresses and interface names, you can answer yes to this prompt.
Do you want to use the wizard to set up your network interfaces?
(yes/no): yes

Configure WAN (Wide Area Network) interface:

Enter the WAN interface name: em0
Configure IPv4 address? (yes/no): yes
IPv4 address: 203.0.113.1
IPv4 subnet: 24
IPv4 gateway: 203.0.113.1
Configure IPv6 address? (yes/no): no

Configure LAN (Local Area Network) interface:

Enter the LAN interface name: em1
Configure IPv4 address? (yes/no): yes
IPv4 address: 192.168.1.1
IPv4 subnet: 24
Enable DHCP? (yes/no): yes
Starting DHCP address: 192.168.1.100
Ending DHCP address: 192.168.1.200

Set hostname and domain:

Select option 2:

Hostname: firewall
Domain: example.com
DNS servers: 8.8.8.8 8.8.4.4
WAN IP address: 203.0.113.1
WAN gateway: 203.0.113.254

Access the web interface at https://192.168.1.1:

firefox https://192.168.1.1 &

Default credentials:

• Username: admin
• Password: pfsense

Change the default password immediately:

System → User Manager → admin → Edit
Set new password
Save

Network Interface Configuration

Configure additional network interfaces and VLANs for segmented networks.

Access the interface configuration:

Interfaces → Assignments

Add new interface from list of available network cards. Click "Add" to add interfaces.

Configure VLAN interfaces:

Interfaces → Assignments → VLANs
Click "Add"
Parent Interface: em0
VLAN Tag: 100
VLAN Priority: 0
Description: Guest Network
Click Save

Assign the VLAN to an interface group:

Interfaces → Assignments
Click "Add" next to the new VLAN
Interface name: GUEST

Configure the new interface:

Interfaces → GUEST
Enable interface: checked
IPv4 Configuration Type: Static IPv4
IPv4 Address: 192.168.100.1
IPv4 Subnet: 24
Enable DHCP server: checked
DHCP range: 192.168.100.100 to 192.168.100.200
Save and Apply

View configured interfaces:

Interfaces → Assignments

Test interface connectivity:

Diagnostics → Ping
Address: 192.168.1.1
Click Ping

Firewall Rules

Create firewall rules to control traffic between networks. Rules are evaluated top-down.

Create a rule to allow HTTP/HTTPS from LAN to WAN:

Firewall → Rules → LAN
Click "Add" (at top)
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: TCP
Destination Port Range: 80 (HTTP) to 443 (HTTPS)
Source: LAN net
Destination: any
Description: Allow HTTP/HTTPS to Internet
Save and Apply

Create rules to block specific protocols:

Firewall → Rules → LAN
Click "Add"
Action: Block
Protocol: UDP
Destination Port: 53
Source: !LAN net
Description: Block DNS from outside LAN
Save and Apply

Create port forwarding rules:

Firewall → Rules → WAN
Click "Add"
Action: Pass
Interface: WAN
Protocol: TCP
Destination Port: 8080
Source: any
Description: Forward port 8080 to LAN web server
Save and Apply

Configure interface groups for complex rule management:

Firewall → Interface Groups
Click "Add"
Group Name: INTERNAL
Members: LAN, VLAN100
Description: Internal Networks
Save

Create rules using interface groups:

Firewall → Rules → INTERNAL
Click "Add"
Action: Pass
Source: INTERNAL net
Destination: any
Protocol: TCP
Destination Port: 443
Description: Allow INTERNAL to Internet (HTTPS)
Save and Apply

View current rules:

Firewall → Rules → [Interface]

Monitor rules in real-time:

Status → System Logs → Firewall

NAT Configuration

Configure Network Address Translation for internal network access to external resources.

Configure outbound NAT (PAT):

Firewall → NAT → Outbound
Mode: Hybrid Outbound NAT
Click "Add"
Interface: WAN
Source: LAN net
Address: WAN Address
Port: any
Description: Outbound NAT for LAN
Save

Configure port forwarding for inbound services:

Firewall → NAT → Port Forward
Interface: WAN
Protocol: TCP
Destination Port: 80
Redirect Target IP: 192.168.1.10
Redirect Target Port: 8080
Filter rule association: Add unassociated filter rule
Description: Forward WAN port 80 to web server
Save

Create 1:1 NAT for dedicated servers:

Firewall → NAT → 1:1
Interface: WAN
External Subnet IP: 203.0.113.5
Internal IP: 192.168.1.50
Destination: any
Description: 1:1 NAT for mail server
Bilateral: checked
Save

View NAT statistics:

Status → Monitoring
Section: Network interfaces

Test NAT functionality:

Diagnostics → Traceroute
Remote Host: 8.8.8.8

VPN Setup

Configure VPN connections for remote access and site-to-site communication.

Setup OpenVPN server for remote access:

VPN → OpenVPN → Server
Click "Add"
Server Mode: Remote Access (User Auth)
Protocol: UDP4
Port: 1194
TLS Authentication: Generate
Cipher: AES-256-GCM
Enable NCP: checked
NCP Algorithms: AES-256-GCM
Compression: Stub with d-comp-disabled
Allow Compression: unchecked
LZO Compression: unchecked

Configure OpenVPN Client Specific Overrides:

VPN → OpenVPN → Client Specific Overrides
Click "Add"
Common Name: user1
Enable: checked
Redirect Gateway: checked
Push Networks: 192.168.1.0/24
Save

Setup IPsec VPN for site-to-site:

VPN → IPsec → Tunnels
Click "Add"
Disabled: unchecked
General Information:
  Parent: WAN
  Type: Mobile
Phase 1:
  Encryption Algorithm: AES
  Hash Algorithm: SHA256
  DH Key Group: 14
  Lifetime: 28800
Phase 2:
  Protocol: ESP
  Encryption Algorithms: AES-256-GCM
  Hash Algorithms: SHA256
  PFS Key Group: 14
  Lifetime: 3600
Save

Add IPsec encryption rules:

VPN → IPsec → Encryption
Click "Add"
Mode: Tunnel
Local Subnet: 192.168.1.0/24
Remote Gateway: remote-gateway-ip
Remote Subnet: 192.168.2.0/24
Phase 1 Algorithms: AES-256, SHA256, Group 14
Phase 2 Algorithms: AES-256-GCM, SHA256
Save

Package Management

Install additional packages for extended functionality.

Access package manager:

System → Package Manager → Available Packages

Common useful packages:

- Snort: Network intrusion detection
- Suricata: Alternative IDS/IPS
- ntop: Network monitoring
- pfBlockerNG: IP reputation-based blocking
- Squid: Web proxy
- HAProxy: Load balancer
- iftop: Traffic monitoring

Install a package (example: ntop):

System → Package Manager → Available Packages
Search for "ntop"
Click "Install"
Wait for installation
Click "Return to Summary"

Configure installed packages:

Services → ntop
Enable: checked
Port: 3000
Address: 0.0.0.0
Save and Apply

Access the installed service via web interface (example ntop):

Services → ntop
http://192.168.1.1:3000

Dashboard and Monitoring

Monitor network activity and system health through the dashboard.

Customize the dashboard:

Home
Click "Edit Dashboard"
Available widgets:
- System Information
- Interfaces
- Firewall States
- Traffic Graphs
- Service Status
- Recent Logs
- Disk Usage
- Memory Usage

Add widgets:

Home → Edit Dashboard
Click "Add Widget"
Select desired widgets
Click "Save"

Monitor interface statistics:

Status → Interfaces
Shows:
- Bandwidth usage
- Packets in/out
- Errors
- Dropped packets

View firewall logs:

Status → System Logs → Firewall
Shows real-time firewall rule hits
Filter by interface, action, protocol

Monitor connected clients:

Status → OpenVPN → Server
Shows connected VPN clients
Active sessions
Data transferred

View system information:

System → General Setup
Shows:
- System time and uptime
- Hardware information
- Disk usage
- Memory statistics

Advanced Features

Configure advanced network security and management features.

Enable DynamicDNS for dynamic WAN IP:

System → General Setup → Dynamic DNS
Click "Add"
Service Type: DynamicDNS Provider
Provider: Your provider
Hostname: your.domain.com
Username: your-username
Password: your-password
Save and Apply

Configure DHCP reservation for static IPs:

Services → DHCP Server → LAN
DHCP Static Mappings:
Click "Add"
MAC address: device-mac-address
IP Address: 192.168.1.50
Hostname: desired-hostname
Save

Setup high availability and failover:

System → High Availability
Enable CARP: checked
Synchronize State: checked
Backup Host: backup-firewall-ip
Save

Configure system backup:

Diagnostics → Backup & Restore
Configuration Backup: click Download
Schedule automatic backups:
- Daily
- Weekly
- Monthly

Conclusion

pfSense provides comprehensive firewall and routing capabilities for protecting networks of any size. By following this guide, you've installed pfSense, configured network interfaces and VLANs for network segmentation, created firewall rules to control traffic, set up NAT for address translation, configured VPN for remote access and site-to-site connectivity, installed additional packages for extended functionality, and implemented monitoring for network visibility. Regular maintenance includes rule review, log analysis, security updates, and performance tuning. Whether protecting a small office or large enterprise network, pfSense scales with comprehensive security features and flexible configuration options.