pfSense configuration
If installation was successful, you should see a screen similar to the one shown in the following screenshot:
The console menu in pfSense 2.4.3
Some of the initial configuration must be done at the console, while some aspects of the configuration, such as VLAN and DHCP setup, can be done from either the console or the web GUI.
Configuration takes place in two phases. Some configuration must be done at the console, including interface configuration and interface IP address assignment. Some configuration steps, such as VLAN and DHCP setup, can be done both at the console and within the web GUI. On initial bootup, pfSense will automatically configure the WAN and LAN interfaces, according to the following parameters:
- Network interfaces will be assigned to device IDs
em0,em1, and so on - The WAN interface will be assigned to
em0, and the LAN interface will be assigned toem1
- The WAN interface will look to an upstream DHCP server for its IP address, while the LAN interface will initially be assigned an IP address of
192.168.1.1
You can, of course, accept these default assignments and proceed to the web GUI, but chances are you will need to change at least some of these settings. If you need to change interface assignments, select 1 from the menu.
Configuration from the console
On boot, you should eventually see a menu identical to the one seen on the CD version, with the boot multi or single user options, and other options. After a timeout period, the boot process will continue and you will get an Options menu. If the default interface assignments are unsatisfactory, select 1 from the menu to begin interface assignment. This is where the network cards installed in the system are given their roles as WAN, LAN, and optional interfaces (OPT1, OPT2, and so on).
If you select this option, you will be presented with a list of network interfaces. This list provides four pieces of information:
- pfSense's device name for the interface (
fxp0,em1, and so on) - The MAC address of the interface
- The link state of the interface (up if a link is detected; down otherwise)
- The manufacturer and model of the interface (Intel PRO 1000, for example)
As you are probably aware, generally speaking, no two network cards have the same MAC address, so each of the interfaces in your system should have a unique MAC address.
- To begin the configuration, select
1and Enter for theAssign Interfacesoption. - After that, a prompt will show up for VLAN configuration.
Note
We will cover VLAN configuration in Chapter 4, Using pfSense as a Firewall, and we will cover both configuration from the command line and web GUI VLAN configuration.
- If you wish to set up VLANs, see Chapter 3, VLANs. Otherwise, type
nand press Enter. Keep in mind that you can always configure VLANs later on. - The interfaces must be configured, and you will be prompted for the WAN interface first.
- If you only configure one interface, it will be assigned to the WAN, and you will subsequently be able to log in to pfSense through this port.
This is not what you would normally want, as the WAN port is typically accessible from the other side of the firewall.
- When at least one other interface is configured, you will no longer be able to log in to pfSense from the WAN port. Unless you are using VLANs, you will have to set up at least two network interfaces.
In pfSense, network interfaces are assigned rather cryptic device names (for example, fxp0, em1, and so on) and it is not always easy to know which ports correspond to particular device names. One way of solving this problem is to use the automatic interface assignment feature.
- To do this, unplug all network cables from the system, and then type
aand press Enter to begin auto-detection. - The WAN interface is the first interface to be detected, so plug a cable into the port you intend to be the WAN interface.
The process is repeated with each successive interface.
- The LAN interface is configured next, then each of the optional interfaces (OPT1, OPT2).
Note
If auto-detection does not work, or you do not want to use it, you can always choose manual configuration. You can always reassign network interfaces later on, so even if you make a mistake on this step, the mistake can be easily fixed.
- Once you have finished configuration, type
yat theDo you want to proceed?prompt, or typenand press Enter to re-assign the interfaces. - Option two on the menu is
Set interface(s) IP address, and you will likely want to complete this step as well. When you invoke this option, you will be prompted to specify which interface's IP address is to be set.
- If you select
WAN interface, you will be asked if you want to configure the IP address via DHCP. In most scenarios, this is probably the option you want to choose, especially if pfSense is acting as a firewall. In that case, the WAN interface will receive an IP address from your ISP's DHCP server. For all other interfaces (or if you choose not to use DHCP on the WAN interface), you will be prompted to enter the interface's IPv4 address. - The next prompt will ask you for the subnet bit count. In most cases, you'll want to enter
8if you are using a Class A private address,16for Class B, and24for Class C, but if you are using classless subnetting (for example, to divide a Class C network into two separate networks), then you will want to set the bit count accordingly. - You will also be prompted for the IPv4 gateway address (any interface with a gateway set is a WAN, and pfSense supports multiple WANs); if you are not configuring the WAN interface(s), you can just hit Enter here.
- Next, you will be prompted to provide the address, subnet bit count, and gateway address for IPv6; if you want your network to fully utilize IPv6 addresses, you should enter them here.
The advantages of IPv6 over IPv4 will be discussed more fully in Chapter 2, Advanced pfSense Configuration.
We have now configured as much as we need to from the console (actually, we have done more than we have to, since we really only have to configure the WAN interface from the console). The remainder of the configuration can be done from the pfSense web GUI.
Configuration from the web GUI
The pfSense web GUI can only be accessed from another PC. If the WAN was the only interface assigned during the initial setup, then you will be able to access pfSense through the WAN IP address. Once one of the local interfaces is configured (typically the LAN interface), pfSense can no longer be accessed through the WAN interface. You will, however, be able to access pfSense from the local side of the firewall (typically through the LAN interface). In either case, you can access the web GUI by connecting another computer to the pfSense system, either directly (with a crossover cable) or indirectly (through a switch), and then typing either the WAN or LAN IP address into the connected computer's web browser.
Note
If you enabled the LAN interface but did not enable DHCP on LAN, or if you are accessing the web GUI on another computer on the LAN network, you must statically set the IP address on that computer to a valid IP address for the LAN network (for example, if the LAN interface IP address is 192.168.1.1 and the LAN network is 192.168.1.0/24, set it to 192.168.1.2 or any number other than 1 for the last octet).
- When you initially log in to pfSense, the default username/password combination will be admin/pfsense, respectively.
- On your first login, the Setup Wizard will begin automatically.
- Click on the
Nextbutton to begin configuration.
Note
If you need to run the Setup Wizard after your initial login, select System|Setup Wizard from the top menu.
- The first screen provides a link for information about a pfSense Gold Netgate Global Support subscription. You can click on the link to sign up to learn more, or click on the
Nextbutton. - On the next screen, you will be prompted to enter the hostname of the router as well as the domain. Hostnames can contain letters, numbers, and hyphens, but must begin with a letter. If you have a domain, you can enter it in the appropriate field.
- In the
Primary DNS ServerandSecondary DNS Serverfields, you can enter your DNS servers. If you are using DHCP for your WAN, you can probably leave these fields blank, as they will usually be assigned automatically by your ISP. However, your ISP's DNS servers may not be reliable. There are many third party DNS servers available, including OpenDNS (208.67.220.220and208.67.222.222) and Google Public DNS (8.8.8.8and8.8.4.4). Uncheck theOverride DNScheckbox if you want to use third party DNS servers rather than the DNS servers used by your ISP. Click onNextwhen finished. - The next screen will prompt you for the Network Time Protocol (NTP) server as well as the local time zone. The NTP server configuration will be covered in greater detail in the next chapter; you can keep the default value for the server hostname for now. For the
Timezonefield, you should select the zone which matches your location and click onNext. - The next screen of the wizard is the WAN configuration page.
In most scenarios, you won't need to make any further changes to the WAN in comparison to what was done at the console (at least initially; a multi-WAN setup is more involved and will be discussed more fully in Chapter 9, Multiple WANs).
If you need to make changes, however, there are several options on this page.
- For
Selected Type, you have several options, but the most commonly used options areDHCP(the default type) orStatic. If your pfSense system is behind another firewall and it is not going to receive an IP address from an upstream DHCP server, then you probably should chooseStatic. If pfSense is going to be a perimeter firewall, however, thenDHCPis likely the correct setting, since your ISP will probably dynamically assign an IP address (this is not always the case, as you may have an IP address statically assigned to you by your ISP, but it is the more likely scenario).
- The other choices are Point-to-Point Protocol over Ethernet (PPPoE) and Point-to-Point Tunneling Protocol (PPTP). Your ISP may require that you use one of these options for the WAN interface; if you are not sure, check with them.
- If you selected either
PPPoEorPPTP, you will have to scroll down to the appropriate part of the page to enter parameters for these connections. - At a minimum, you will likely have to enter the Username and Password for such connections. In addition, PPTP requires that you enter a local IP address and a remote IP address.
- The
dial-on-demandcheckbox for PPPoE and PPTP connections allows you to connect to your ISP only when a user requests data that requires an internet connection. Both PPPoE and PPTP support anIdle timeoutsetting, which specifies how long the connection will be kept open after transmitting data when this option is invoked. Leaving this field blank disables this function.
Note
PPP (Point-to-Point Protocol) and L2TP (Layer 2 Tunneling Protocol) are also valid choices for the WAN configuration type. However, the Setup Wizard does not allow the user to select either of these. In order to select PPP or L2TP, navigate to Interfaces | WAN from the top menu, and selectPPPorL2TPin either theIPv4 Configuration TypeorIPv6 Configuration Typedrop-down box (or both). Setup is similar to the setup for PPPoE and PPTP – you will have to enter a Username and Password – and in the case of PPP, you will also have to enter your ISP's phone number in thePhone numberfield.
- We can now turn our attention to the
General Configurationsection. TheMAC addressfield allows you to enter a MAC address that is different from the actual MAC address of the WAN interface. This can be useful if your ISP will not recognize an interface with a different MAC address than the device that was previously connected, or if you want to acquire a different IP address (changing the MAC address will cause the upstream DHCP server to assign a different address).
- If you use this option, make sure the portion of the address reserved for the Organizationally Unique Identifier (OUI) is a valid OUI – in other words, an OUI assigned to a network card manufacturer. (The OUI portion of the address is the first three bytes of a MAC-48 address and the first five bytes of an EUI-48 address).
- The next few fields can usually be left blank.
Maximum Transmission Unit (MTU)allows you to change the MTU size if necessary.DHCP hostnameallows you to send a hostname to your ISP when making a DHCP request, which is useful if your ISP requires this. - The
Block RFC1918 Private Networkscheckbox, if checked, will block registered private networks (as defined by RFC 1918) from connecting to the WAN interface. TheBlock Bogon Networksoption blocks traffic from reserved and/or unassigned IP addresses. For the WAN interface, you should check both options unless you have special reasons for not invoking these options. Click theNextbutton when you are done. - The next screen provides fields in which you can change the
- You can keep the default, or change it to another value within the private address blocks. You may want to choose an address range other than the very common
192.168.1.xin order to avoid a conflict. - Be aware that if you change the LAN IP address value, you will also need to adjust your PC's IP address, or release and renew its DHCP lease when finished with the network interface. You will also have to change the pfSense IP address in your browser to reflect the change.
- The final screen of the pfSense Setup Wizard allows you to change the admin password, which you should do now.
- Enter the password, enter it again for confirmation in the next edit box, and click on
Next.
- Later on, you can create another administrator account with a username other than admin and disable the admin account, for additional security, unless you plan on setting up multiple firewalls for high availability, in which case you will need to retain the admin account.
- On the following screen, there will be a
Reloadbutton; click onReload. This will reload pfSense with the new changes. - Once you have completed the wizard, you should have network connectivity. Although there are other means of making changes to pfSense's configuration, if you want to repeat the wizard, you can do so by navigating to
System|Setup Wizard. Completion of the wizard will take you to the pfSense dashboard.
Configuring additional interfaces
By now, both the WAN and LAN interface configurations should be complete. Although additional interface configurations can be done at the console, it can also be done (and somewhat more conveniently so) in the web GUI.
- To add optional interfaces, navigate to the
Interfaces|Assignmentstab, which will show a list of assigned interfaces, and at the bottom of the table, there will be anAvailable network portsoption. - There will be a corresponding drop-down box with a list of unassigned network ports. These will have device names such as
fxp0,em1, and so on. - To assign an unused port, select the port you want to assign from the drop-down box, and click on the + button to the right.
- The page will reload, and the new interface will be the last entry in the table. The name of the interface will be
OPTx, wherexequals the number of optional interfaces. - By clicking on
interface name, you can configure the interface.
Nearly all the settings here are similar to the settings that were available on the WAN and LAN configuration pages in the pfSense Setup Wizard.
Some of the options under the General Configuration section, that are not available in the Setup Wizard, are MSS (Maximum Segment Size), and Speed and duplex. Normally, MSS should remain unchanged, although you can change this setting if your internet connection requires it.
- If you click on the
Advancedbutton underSpeed and duplex, a drop-down box will appear in which you can explicitly set the speed and duplex for the interface. Since virtually all modern network hardware has the capability of automatically selecting the correct speed and duplex, you will probably want to leave this unchanged. - The section at the bottom of the page,
Reserved Networks, allows you to enableBlock private networks and loopback addressesandBlock bogon networksvia their respective checkboxes. Although these options are checked by default when configuring the WAN interface, we normally want to allow private networks on internal interfaces, so these options are normally not enabled when configuring non-WAN interfaces. - If you chose an option other than
Staticfor theConfiguration Type, then other options will appear.
Since it is unlikely that internal interfaces will be configured as such, further discussion of these options will take place in the next section on WAN configuration.
Additional WAN configuration
Most likely, you won't have to do any additional configuration for the WAN interface; the configuration done in the Setup Wizard will be enough to get you started. If you need to make changes, however, follow these steps:
- Navigate to
Interfaces|WANin the main menu. - The most likely scenario is that your ISP will provide an IP address via DHCP, but many providers will provide you with a static IP address if you require one. In such cases, you will need to set your
Configuration TypetoStaticand then enter your WAN IP address and CIDR under either theStatic IPv4 ConfigurationorStatic IPv6 Configuration(or possibly both, if you plan to have both an IPv4 and IPv6 address). - You will also need to specify your ISP's gateway, which you can do by clicking on the
Add a new gatewaybutton. A dialog box will appear in which you can enter the IP address and a description.
- If you have selected
DHCPas the configuration type, then there are several options in addition to the ones available in the Setup Wizard. Clicking on theAdvancedcheckbox in the DHCP client configuration causes several additional options to appear in this section of the page.- The first is
Protocol Timing, which allows you to control DHCP protocol timings when requesting a lease. You can also choose several presets (FreeBSD,pfSense,Clear, orSaved Cfg) using the radio buttons on the right. - There is also a
Configuration Overridecheckbox which, if checked, allows you to specify the absolute path to a DHCP client configuration file in theConfiguration Override Fileedit box. If your ISP supports pfSense, it should be able to provide you with a valid configuration override file. - If the
Configuration Overridecheckbox is not checked, there will be three edit boxes in this section under the checkboxes. The first isHostname; this field is sent as a DHCP hostname and client identifier when requesting a DHCP lease.Alias IPv4 addressallows you to enter a fixed IP address for the DHCP client. TheReject Leases fromfield allows you to specify the IP address or subnet of an upstream DHCP server to be ignored. - The next section is
Lease Requirements and Requests. Here you can specifysend,request, andrequireoptions when requesting a DHCP lease. These options are useful if your ISP requires these options. The last section isOption Modifiers, where you can addDHCP option modifiers, which are applied to an obtained DHCP lease.
- The first is
- Starting with pfSense version 2.2.5, there is support for IPv6 with DHCP (DHCP6). If you are running 2.2.5 or above, there will be a section on the page called
DHCP6 client configuration. - Similar to the configuration for IPv4 DHCP, there are checkboxes for
Advanced ConfigurationandConfiguration Override. - Checking the
Advancedcheckbox in the heading of this section displays theAdvanced DHCP 6options:- If you check the
Information Onlycheckbox on the left, pfSense will send requests for stateless DHCPv6 information. - You can specify
SendandRequestoptions, just as you can for IPv4. - There is also a
Scriptfield where you can enter the absolute path to a script that will be invoked on certain conditions. - The next options are for the
Identity Association Statementcheckboxes. TheNonTemporary Address Allocationcheckbox results in normal, that is, not temporary, IPv6 addresses to be allocated for the interface. ThePrefix Delegationcheckbox causes a set of IPv6 prefixes to be allocated from the DHCP server. - The next set of options,
Authentication Statement, allows you to specify authentication parameters to the DHCP server. TheAuthnameparameter allows you to specify a string, which in turn specifies a set of parameters. - The remaining parameters are of limited usefulness in configuring a DHCP6 client, because each has only one allowed value, and leaving them blank will result in only the allowed value being used. If you are curious as to what these values are here they are:
- If you check the
- Finally,
Key info Statementallows you to enter a secret key. The required fields arekey id, which identifies the key, andsecret, which provides the shared secret.key nameandrealmare arbitrary strings and may be omitted.expiremay be used to specify an expiration time for the key, but if it is omitted, the key will never expire.- If you do not check the configuration override checkbox (in which case you will specify a configuration override file, similar to how this option works with DHCP over IPv4), there will be several more options in this
DHCP Client Configurationsection.Use IPv4 connectivity as parent interfaceallows you to request an IPv6 prefix over an IPv4 link. Request only an IPv6 prefixallows you to request just the prefix, not an address.DHCPv6 Prefix Delegation sizeallows you to specify the prefix length.- You can check the
Send IPv6 prefix hintto indicate the desired prefix length,Debugfor debugging, and selectDo not wait for an RA(router advertisement) and/orDo not allow PD/Address release,if your ISP requires it.
- If you do not check the configuration override checkbox (in which case you will specify a configuration override file, similar to how this option works with DHCP over IPv4), there will be several more options in this
- The last section on the page is identical to the interface configuration page in the Setup Wizard, and contains the
Block Private NetworksandBlock Bogon Networkscheckboxes.
Note
For information on how to configure other Configuration Type options such as PPTP and PPPoE, refer to the information about Setup Wizard configuration under the heading Configuration from the web GUI.
General setup options
You can find several configuration options under System | General Setup. Most of these are identical to settings that can be configured in the Setup Wizard (Hostname, Domain, DNS servers, Timezone, and NTP server). There are two additional settings available:
- The
Languagedrop-down box allows you to select the web configurator language. - Under the
Web Configuratorsection, there is aThemedrop-down box that allows you to select the theme. The default theme of pfSense is perfectly adequate, but you can select another one here. There are several new theme options available for version 2.4, so if you have not tried these, you may want to do so.
pfSense 2.3 added new options to control the look and feel of the web interface and 2.4 has added some more; these settings are also found in the Web Configurator section of the General Settings page:
- The top navigation drop-down box allows you to choose whether the top navigation scrolls with the page, or remains anchored at the top as you scroll.
- The
Hostnamein theMenuoption allows you to replace theHelpmenu title with the system name or fully qualified domain name (FQDN). - The
Dashboard Columnsoption allows you to select the number of columns on the dashboard page (the default is2). - The next set of options is
Associated Panels Show/Hide. These options control the appearance of certain panels on theDashboardandSystem Logspage. The options are:Available Widgets: Checking this box causes theAvailable Widgetspanel to appear on theDashboard. Prior to version 2.3, theAvailable Widgetspanel was always visible on theDashboard.Log Filter: Checking this box causes theAdvanced Log Filterpanel to appear on theSystem Logspage.Advanced Log Filterallows you to filter the system logs by time, process, PID, and message.Manage Log: Checking this box causes theManage General Logpanel to appear on theSystem Logspage. TheManage General Logpanel allows you to control the display of the logs, how big the log file may be, and the formatting of the log file, among other things.Monitoring Settings: Checking this box causes theSettingssection to appear on theStatus|Monitoringpage, which allows custom configuration of the interactive graph on that page.
- The
Require State Filtercheckbox, if checked, causes the state table inDiagnostics|Statesto only appear if a filter is entered. - The last option on this page,
Left Column Labels, allows you to select/toggle the first item in a group by clicking on the left column if checked.
- The last three options on the page were added with version 2.4:
- The
Alias Popupscheckbox, if checked, will disable showing the details of an alias in alias popups that appear when dragging the mouse over an alias on theFirewallpage. - The
Login page colordrop-down box allows you to customize the login page color; the current default color is blue. - Finally, the
Login hostnamecheckbox, when checked, will display the hostname on the login page. Having the hostname on the login page can be a helpful reminder if you are managing a large network with several firewalls, but it also potentially gives away what network is being secured.
- The
- Click on
Saveat the bottom of the page to save any changes.
Note
Version 2.4.3 has added Cross-site request forgery (CSRF)protection to the dashboard widgets.
