pfSense Firewall Instalación

pfSense is a free, open-source firewall and router based on FreeBSD, providing enterprise-class red security and management capabilities. While primarily run on dedicated hardware or virtualized environments, pfSense can be deployed as a virtual appliance in many hosting environments. Esta guía completa cubre installation prerequisites, initial configuration, red interface setup, firewall rule creation, NAT configuration, VPN setup, and package installation for extended functionality.

Tabla de Contenidos

• System Requirements
• Instalación
• Initial Configuración
• Red Interface Configuración
• Firewall Rules
• NAT Configuración
• VPN Configuración
• Package Gestión
• Dashboard and Monitoreo
• Avanzado Features
• Conclusión

System Requirements

pfSense has specific hardware and deployment requirements. Ensure these prerequisites are met:

• 64-bit Intel or AMD processor
• Minimum 1 GB RAM (4 GB+ recommended for production)
• 4 GB disk space (larger for high-traffic deployments)
• Red interfaces: 2 minimum (WAN, LAN), 3+ for complex topologies
• USB drive or ISO for installation
• Serial console or KVM access for installation and troubleshooting

pfSense does not run on Linux; it requires FreeBSD. However, it can be deployed on:

• Dedicated hardware with compatible red cards
• Virtualized environments (KVM, VirtualBox, Hyper-V, ESXi)
• Cloud instances (AWS, Linode, etc.)
• Contenedor environments with appropriate support

Instalación

pfSense is installed from an ISO imagen. Download the latest version from https://www.pfsense.org/download/

Crea a bootable USB drive:

For Linux:

wget https://mirror.netgate.com/downloads/pfSense-CE-latest.iso.gz
gunzip pfSense-CE-latest.iso.gz
sudo dd if=pfSense-CE-latest.iso of=/dev/sdX bs=4M status=progress
sudo sync

For virtualized deployment (KVM):

wget https://mirror.netgate.com/downloads/pfSense-CE-latest.iso.gz
gunzip pfSense-CE-latest.iso.gz
qemu-img create -f qcow2 pfsense.qcow2 4G

Boot from the USB drive or ISO and follow the installation prompts:

1. Select Instalación type (UFS, ZFS filesystem)
2. Partition the disk
3. Select installation mode
4. Reboot into the installed system

After installation, the system proporciona a console menu:

pfSense 2.6.0 | FreeBSD 12.3-RELEASE
options:
1. Assign Interfaces
2. Set Hostname, Domain, DNS, IP address
3. Reset webConfigurator password
4. Reset to Factory Defaults
5. Reboot System
6. Halt System
7. Ping Host
8. Shell
9. Actualiza System
10. Exit to shell prompt

Initial Configuración

Inicia the initial configuration process:

Select option 1 - Assign Interfaces:

If you already know the IP addresses and interface names, you can answer yes to this prompt.
Do you want to use the wizard to set up your red interfaces?
(yes/no): yes

Configura WAN (Wide Area Red) interface:

Enter the WAN interface name: em0
Configura IPv4 address? (yes/no): yes
IPv4 address: 203.0.113.1
IPv4 subnet: 24
IPv4 gateway: 203.0.113.1
Configura IPv6 address? (yes/no): no

Configura LAN (Local Area Red) interface:

Enter the LAN interface name: em1
Configura IPv4 address? (yes/no): yes
IPv4 address: 192.168.1.1
IPv4 subnet: 24
Habilita DHCP? (yes/no): yes
Starting DHCP address: 192.168.1.100
Ending DHCP address: 192.168.1.200

Set hostname and domain:

Select option 2:

Hostname: firewall
Domain: example.com
DNS servers: 8.8.8.8 8.8.4.4
WAN IP address: 203.0.113.1
WAN gateway: 203.0.113.254

Access the web interface at https://192.168.1.1:

firefox https://192.168.1.1 &

Default credentials:

• Username: admin
• Password: pfsense

Change the default password immediately:

System → User Manager → admin → Edit
Set new password
Save

Red Interface Configuración

Configura additional red interfaces and VLANs for segmented redes.

Access the interface configuration:

Interfaces → Assignments

Add new interface from list of available red cards. Click "Add" to add interfaces.

Configura VLAN interfaces:

Interfaces → Assignments → VLANs
Click "Add"
Parent Interface: em0
VLAN Tag: 100
VLAN Priority: 0
Description: Guest Red
Click Save

Assign the VLAN to an interface group:

Interfaces → Assignments
Click "Add" next to the new VLAN
Interface name: GUEST

Configura the new interface:

Interfaces → GUEST
Habilita interface: checked
IPv4 Configuración Type: Static IPv4
IPv4 Address: 192.168.100.1
IPv4 Subnet: 24
Habilita DHCP server: checked
DHCP range: 192.168.100.100 to 192.168.100.200
Save and Apply

View configured interfaces:

Interfaces → Assignments

Prueba interface connectivity:

Diagnostics → Ping
Address: 192.168.1.1
Click Ping

Firewall Rules

Crea firewall rules to control traffic between redes. Rules are evaluated top-down.

Crea a rule to allow HTTP/HTTPS from LAN to WAN:

Firewall → Rules → LAN
Click "Add" (at top)
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: TCP
Destination Puerto Range: 80 (HTTP) to 443 (HTTPS)
Source: LAN net
Destination: any
Description: Permite HTTP/HTTPS to Internet
Save and Apply

Crea rules to block specific protocols:

Firewall → Rules → LAN
Click "Add"
Action: Bloquea
Protocol: UDP
Destination Puerto: 53
Source: !LAN net
Description: Bloquea DNS from outside LAN
Save and Apply

Crea puerto forwarding rules:

Firewall → Rules → WAN
Click "Add"
Action: Pass
Interface: WAN
Protocol: TCP
Destination Puerto: 8080
Source: any
Description: Forward puerto 8080 to LAN web server
Save and Apply

Configura interface groups for complex rule management:

Firewall → Interface Groups
Click "Add"
Group Name: INTERNAL
Members: LAN, VLAN100
Description: Internal Redes
Save

Crea rules using interface groups:

Firewall → Rules → INTERNAL
Click "Add"
Action: Pass
Source: INTERNAL net
Destination: any
Protocol: TCP
Destination Puerto: 443
Description: Permite INTERNAL to Internet (HTTPS)
Save and Apply

View current rules:

Firewall → Rules → [Interface]

Monitorea rules in real-time:

Status → System Logs → Firewall

NAT Configuración

Configura Red Address Translation for internal red access to external resources.

Configura outbound NAT (PAT):

Firewall → NAT → Outbound
Mode: Hybrid Outbound NAT
Click "Add"
Interface: WAN
Source: LAN net
Address: WAN Address
Puerto: any
Description: Outbound NAT for LAN
Save

Configura puerto forwarding for inbound servicios:

Firewall → NAT → Puerto Forward
Interface: WAN
Protocol: TCP
Destination Puerto: 80
Redirect Target IP: 192.168.1.10
Redirect Target Puerto: 8080
Filtra rule association: Add unassociated filter rule
Description: Forward WAN puerto 80 to web server
Save

Crea 1:1 NAT for dedicated servers:

Firewall → NAT → 1:1
Interface: WAN
External Subnet IP: 203.0.113.5
Internal IP: 192.168.1.50
Destination: any
Description: 1:1 NAT for mail server
Bilateral: checked
Save

View NAT statistics:

Status → Monitoreo
Section: Red interfaces

Prueba NAT functionality:

Diagnostics → Traceroute
Remote Host: 8.8.8.8

VPN Configuración

Configura VPN connections for remote access and site-to-site communication.

Configuración OpenVPN server for remote access:

VPN → OpenVPN → Server
Click "Add"
Server Mode: Remote Access (User Auth)
Protocol: UDP4
Puerto: 1194
TLS Authentication: Generate
Cipher: AES-256-GCM
Habilita NCP: checked
NCP Algorithms: AES-256-GCM
Compression: Stub with d-comp-disabled
Permite Compression: unchecked
LZO Compression: unchecked

Configura OpenVPN Client Specific Overrides:

VPN → OpenVPN → Client Specific Overrides
Click "Add"
Common Name: user1
Habilita: checked
Redirect Gateway: checked
Push Redes: 192.168.1.0/24
Save

Configuración IPsec VPN for site-to-site:

VPN → IPsec → Tunnels
Click "Add"
Disabled: unchecked
General Information:
  Parent: WAN
  Type: Mobile
Phase 1:
  Encryption Algorithm: AES
  Hash Algorithm: SHA256
  DH Key Group: 14
  Lifetime: 28800
Phase 2:
  Protocol: ESP
  Encryption Algorithms: AES-256-GCM
  Hash Algorithms: SHA256
  PFS Key Group: 14
  Lifetime: 3600
Save

Add IPsec encryption rules:

VPN → IPsec → Encryption
Click "Add"
Mode: Tunnel
Local Subnet: 192.168.1.0/24
Remote Gateway: remote-gateway-ip
Remote Subnet: 192.168.2.0/24
Phase 1 Algorithms: AES-256, SHA256, Group 14
Phase 2 Algorithms: AES-256-GCM, SHA256
Save

Package Gestión

Instala additional packages for extended functionality.

Access package manager:

System → Package Manager → Available Packages

Common useful packages:

- Snort: Red intrusion detection
- Suricata: Alternative IDS/IPS
- ntop: Red monitoring
- pfBlockerNG: IP reputation-based blocking
- Squid: Web proxy
- HAProxy: Load balancer
- iftop: Traffic monitoring

Instala a package (example: ntop):

System → Package Manager → Available Packages
Search for "ntop"
Click "Instala"
Wait for installation
Click "Return to Resumen"

Configura installed packages:

Servicios → ntop
Habilita: checked
Puerto: 3000
Address: 0.0.0.0
Save and Apply

Access the installed servicio via web interface (example ntop):

Servicios → ntop
http://192.168.1.1:3000

Dashboard and Monitoreo

Monitorea red activity and system health through the dashboard.

Customize the dashboard:

Home
Click "Edit Dashboard"
Available widgets:
- System Information
- Interfaces
- Firewall States
- Traffic Graphs
- Servicio Status
- Recent Logs
- Disk Usage
- Memory Usage

Add widgets:

Home → Edit Dashboard
Click "Add Widget"
Select desired widgets
Click "Save"

Monitorea interface statistics:

Status → Interfaces
Shows:
- Bandwidth usage
- Packets in/out
- Errors
- Dropped packets

View firewall logs:

Status → System Logs → Firewall
Shows real-time firewall rule hits
Filtra by interface, action, protocol

Monitorea connected clients:

Status → OpenVPN → Server
Shows connected VPN clients
Active sessions
Data transferred

View system information:

System → General Configuración
Shows:
- System time and uptime
- Hardware information
- Disk usage
- Memory statistics

Avanzado Features

Configura advanced red security and management features.

Habilita DynamicDNS for dynamic WAN IP:

System → General Configuración → Dynamic DNS
Click "Add"
Servicio Type: DynamicDNS Provider
Provider: Your provider
Hostname: your.domain.com
Username: your-username
Password: your-password
Save and Apply

Configura DHCP reservation for static IPs:

Servicios → DHCP Server → LAN
DHCP Static Mappings:
Click "Add"
MAC address: device-mac-address
IP Address: 192.168.1.50
Hostname: desired-hostname
Save

Configuración high availability and failover:

System → High Availability
Habilita CARP: checked
Synchronize State: checked
Respalda Host: backup-firewall-ip
Save

Configura system backup:

Diagnostics → Respalda & Restaura
Configuración Respalda: click Download
Schedule automatic backups:
- Daily
- Weekly
- Monthly

Conclusión

pfSense proporciona comprehensive firewall and routing capabilities for protecting redes of any size. By following this guide, you've installed pfSense, configured red interfaces and VLANs for red segmentation, created firewall rules to control traffic, set up NAT for address translation, configured VPN for remote access and site-to-site connectivity, installed additional packages for extended functionality, and implemented monitoring for red visibility. Regular maintenance includes rule review, log analysis, security updates, and performance tuning. Whether protecting a small office or large enterprise red, pfSense scales with comprehensive security features and flexible configuration options.