Firewall Rules in pfSense: Part Two

Firewall Rules

Highlighting a rule in the pfSense GUI.

In the previous article, I covered basic firewall rules in pfSense. But pfSense 2.0 has a whole new set of advanced setup options, which I will cover in this article.

pfSense rules are evaluated from the top down. The first rule to match is executed and the rest of the rules are skipped. It is a good idea to put very specific rules at the top and more generic rules at the bottom, and this is what many administrators do. To reorder a rule, simply select the rule and click the “move selected rules before this rule” button.


You also may want to create a rule that’s very similar to an existing rule. To save time, you can copy the rule with the “add a new rule based on this one” button (the plus button).

Firewall Rules: Advanced Features

Firewall Rules

Advanced features section for firewall rules in the pfSense web GUI.

With pfSense 2.0, when you add or edit firewall rules, there is an Advanced Features section. Various features can be specified as criteria for a rule. If an advanced feature is specified, the rule will only be executed if a match is found. Click the Advanced button for each feature to display configuration settings for that feature. Here are the features:

Firewall Rules

Source OS option under firewall rules in pfSense 2.0.

  • Source OS: This option will attempt to match the operating system of the source traffic. The UNIXoid world is well represented on this list, with FreeBSD, NetBSD, and OpenBSD on the list, as well as Linux and Solaris. Windows and Novell are also on the list.
  • Diffserv Code Point: Diffserv is a mechanism for providing Quality of Service of network traffic. Systems can prioritize traffic based on their code point values.
  • Advanced Options: This contains a number of options. The options are as follows:
    • Allow packets with IP options to pass: Packets with IP options are blocked by default, and for good reason: some IP options can be used by attackers to hide the true source of a packet or to gain access to a protected network, or to glean information about the topology and the addressing scheme of a network. Also, IP options tax the CPU of the router, and may be used in denial of service (DoS) attacks. Nonetheless, there may also be legitimate reasons for allowing these packets to pass.
    • Disable auto-generated reply-to for this rule: By default, pfSense replies to a host regarding a rule; this disables it.
    • Mark a packet: Mark a packet matching a rule; you can then use this mark to match on other NAT/filter rules.
    • Match packet on a mark placed before on another rule.
    • Maximum state entries this rule can create: Limits the maximum number of state entries this rule can create to a specific number. If the maximum is reached, packets that would normally create state fail to match this rule until the number of existing states falls below the limit.
    • Maximum number of unique source hosts: Limits the number of unique hosts to this number.
    • Maximum number of established connections per host: Limits the number of connections per host to this number; good for protecting against DoS attacks.
    • Maximum state entries per host: Limits the number of state entries per host to this number.
    • Maximum new connections/per seconds: Limits the number of connections to X connections per Y seconds, where X and Y are entered here.
    • Timeout in seconds
  • TCP Flags: Specific TCP flags can be set here. These flags are:
    • FIN – No more data from sender
    • SYN – Synchronize sequence numbers (seen on new connections)
    • RST – Reset the connection (seen on rejected connections)
    • PSH – Push function
    • ACK – Indicates that the ACKnowledgment field is significant
    • URG – Indicates that the URGent pointer field is significant
  • State Type: Select which type of state stracking mechanism you would like to use from the following options – keep state, sloppy state, synproxy state (to protect against TCP SYN floods), and none. If in doubt, use keep state.
  • No XMLRPC Sync: This prevents a rule from syncing with the other CARP members.
  • Schedule: Specify the schedule for when the rule is valid. Schedules defined in Firewall -> Schedules will appear in the drop-down box.
  • Gateway: Gateways other than the default may be specified here. Leave as ‘default’ to use the system routing table.
  • In/Out: Specify alternative queues and virtual interfaces. Choose the Out queue/Virtual interface only if you have also selected In. The Out selection is applied to traffic leaving the interface where the rule is created, In is applied to traffic coming into the chosen interface. If you are creating a floating rule, if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing.
  • Ackqueue/Queue: Specify alternative acknowledge queries here.
  • Layer7: Choose a Layer7 container to apply application protocol inspection rules. These are valid for TCP and UDP protocols only.

That covers advanced options for firewall rules in pfSense 2.0, demonstrating the unique level of granularity that pfSense offers in firewall configuration. Most of these options can be left unchanged a majority of the time, but many of them, such as “Source OS”, will undoubtedly be useful in enterprise-level deployments.


Firewall Rules in pfSense: Part One

Firewall Rules: Part One

Firewall: Rules page in the pfSense web GUI.

In the previous article about NAT port forwarding, we used “Add associated filter rule” in order to generate the firewall rule for the Apache web server. We could, however, have chosen “None” for the “Filter Rule Association” and created the rule ourselves. This next article describes how to create firewall rules.


Adding Firewall Rules

In order to do this, first browse to Firewall -> Rules. There will be two pre-configured firewall rules by default: “Block private networks” (for blocking 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses) and “Block bogon networks” (for blocking bogus addresses). There will be at least three tabs: “Floating“, “WAN” and “LAN“. Select “WAN” if it isn’t already selected. Press the “Plus” button to add a new firewall rule. Under “Action”, there are three options: “Pass“, “Block”, and “Reject“. The web GUI has the following explanation of the difference between “Block” and “Reject“:

Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded.

In this case, you can leave the default unchanged as “Pass“. Next is the option to “Disable this rule“; we don’t want to do this so leave this box unchecked. At “Interface”, you will again have a choice of “LAN“, “WAN” and whatever other interfaces were configured; choose “WAN“.

Firewall Rules: Part One

Adding a firewall rule in pfSense.

At “Protocol“, there are a number of options in addition to the four listed under NAT port forwarding. “ICMP” stands for Internet Control Message Protocol and is used to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages. “AH” stands for Authentication Header, which is part of the IPsec suite and provides connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks. “IGMP” stands for Internet Group Management Protocol and is a connectionless protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships; it is used for one-to-many networking applications such as online streaming video and gaming, among other uses. “OSPF” stands for Open Shortest Path First, a link-state routing protocol for IP networks that uses a link state routing algorithm and falls into the group of interior routing protocols. “CARP” stands for Common Address Redundancy Protocol, a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover redundancy. Finally, “pfsync” is a computer protocol used to synchronize firewall states between machines running Packet Filter (PF) for High Availability. If is used along with CARP to make sure a backup firewall has the same information as the main firewall. In this case, we should leave the default protocol “TCP” unchanged.


At “Source“, specify “any”, as the “Type” and at “Source Port Range“, also specify any. The “Type” options are the same as the options under “Source” and “Destination” for NAT port forwarding; therefore I will not go into detail on them here. In “Destination“, select “Single host or alias” as the type, and specify 192.168.1.125 (our Apache server) for the “Address”. At “Destination Port Range“, specify “HTTP“. You can leave “Log packets that are handled by this rule” unchecked unless you have reason to log the packets. Specify a “Description” if you wish and press the “Save” button to save the changes.

Firewall Rules: The Source Port Range is Usually Unknown

It should be noted that when a firewall rule is created, the “Source Port Range” is almost always set to “any“. This is because the client decides which port to open on the client computer, which may or may not be the same as the port requested on the server. The source port is an an ever-changing port which the end user probably never knows about. So most of the time, we will not know the Source Port Range of the traffic being allowed in.

In the next article, I will go into some detail on rules governing firewall rules, and some of the advanced options for firewall rules under pfSense 2.0.

External Links:

Firewall Rule Basics at doc.pfsense.org

Port Forwarding with NAT in pfSense

Firewall Configuration: NAT port forwarding

Firewall -> NAT configuration page in the pfSense web GUI.

In computer networking, Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device. In most cases, it involves translating from the WAN IP address to the 192.168.x.x addresses of your local network. In this article, I will describe how to set up NAT port forwarding.

NAT and firewall rules are distinct and separate. NAT rules forward traffic, while firewall rules block or allow traffic. In the next article, I will cover firewall rules, but for now keep in mind that just because a NAT rule is forwarding traffic does not mean the firewall rules will allow it.

NAT Port Forwarding

NAT port forwarding rules can differ in complexity, but in this example, let’s assume we set up an Apache server at 192.1.168.125 on the local network, and we want to direct all HTTP traffic (port 80) to that address. First, browse to Firewall -> NAT. The options are “Port Forward“, “1:1” and “Outbound“. Select the “Port Forward” tab. Click the “plus” button in order to create a new NAT port forward rule. “Disable the rule” and “No RDR” can be left unchanged. For “Interface” you can choose WAN and LAN; we are concerned about incoming requests from the Internet, so you can keep it as WAN.


For “Protocol”, there are five choices: TCP, UDP, TCP/UDP, GRE, and ESP. TCP stands for Transmission Control Protocol, and is the transport level protocol of the Internet protocol suite. This is usually what we want to use. Next is UDP, or User Datagram Protocol, another transport level protocol which is also part of the Internet protocol suite. It is suitable for purposes where error checking and correction are either not necessary or are performed in the application. GRE stands for Generic Routing Encapsulation, a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links. It can be used, among other things, in conjunction with PPTP to create VPNs. ESP stands for Encapsulating Security Payload, a member of the IPsec protocol suite which provides authenticity, integrity and confidentiality protection of packets. In this port forwarding scenario, you can leave the protocol unchanged (TCP).

Firewall Configuration: NAT

Adding a NAT port forwarding rule.

For “Source“, you can specify the allowed client source. Typically you can leave it as “any”, but there are several choices: “Single host or alias“, “Network“, “PPTP clients“, “PPPoE clients“, “L2TP clients“, “WAN subnet“, “WAN address“, “LAN subnet“, and “LAN address“. In this case, you can leave the default (any) unchanged.

For “Source port range“, we want to redirect HTTP traffic (port 80), so choose HTTP for the from and to drop-down boxes. “Destination” offers the same choices as “Source” and can be left unchanged. “Destination port range” should be changed to HTTP for the from and to drop-down boxes. For “Redirect target IP“, specify the web server the traffic to be forwarded to (in our case, 192.168.1.125). For “Redirect target Port“, choose HTTP. Next is “No XMLRPC Sync“; enable this option to prevent this rule from being applied to any redundant firewalls using CARP. This option can be left unchecked now. “NAT Reflection” can be enabled or disabled, usually it is disabled. “Filter Rule association” will automatically create a firewall rule and associate it to this NAT rule. Check this box to avoid having to create a separate firewall rule. Add a description if you wish, and press “Save” to save the changes. The port forwarding rule set up should now be in effect.

NAT Port Redirection

In this case, we passed traffic from port 80 on the source to port 80 on the destination, which is the classic port forwarding scenario. But there’s no reason you can’t redirect traffic to a different port. There are two reasons you might want to do this:

[1] Security: A good way to thwart hackers is to put services on non-standard ports. For example, everyone knows the standard port for FTP is 21, but an outsider is unlikely to find your FTP server if you place it on port 69, or better yet, an even higher port number (e.g. 51782). The same can be said of SSH. Users will have to know the port in order to access it.

[2] Single Public IP Address, more than one computer with the same services: Smaller networks with only a single public IP address may be stuck if the want to expose a lot of public services. For example, imagine that we want to have two separate FTP servers, but on two separate computers. With port redirection, we create two different NAT rules: the first rule will redirect port 51782 to port 21 on FTPServer1, and the second will redirect port 51783 to port 21 on FTPServer2. We can then remote into two separate FTP servers on two different computers using the same IP address.


External Links:

Port Forwarding Troubleshooting at doc.pfsense.org

Firewall Configuration: Aliases

One of the main functions of any firewall is to carry out port forwarding and firewall security rules, and pfSense, like any firewall, is capable of performing these functions, which can be found on the “Firewall” menu of the pfSense web interface. In this article, the first in a series covering pfSense firewall configuration, I cover creating an alias in pfSense.

Firewall Configuration: Aliases

Firewall configuration

Firewall -> Aliases page in the pfSense web GUI.

A good description of aliases can be found from the pfSense web GUI page for Firewall -> Aliases:

Aliases act as placeholders for real hosts, networks or ports. They can be used to minimize the number of changes that have to be made if a host, network or port changes. You can enter the name of an alias instead of the host, network or port in all fields that have a red background. The alias will be resolved according to the list above. If an alias cannot be resolved (e.g. because you deleted it), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.

Firewall configuration

Here, I create a sub-alias called “allhosts”.

With this in mind, here is how you can set up an alias in pfSense. First, browse to Firewall -> Aliases. Click the “plus” button to add a new alias. The first field is “Name“. Here, you should type in a name for the alias. At “Description“, you can add an optional description. Next, select an alias type at “Type“. Depending on which type you choose (Host, Network, Ports, URL, or URL Table), you will have different fields which must be filled out to complete the configuration. Selecting “Host(s)” as an a type allows you to create an alias that holds one or more IP addresses. Selecting “Network” allows you to create an alias that holds one or more networks (i.e. ranges of IP addresses). Selecting “Ports” allows you to create an alias that holds one or more ports. Selecting “OpenVPN Users” allows you to create an alias that holds one or more OpenVPN usernames. Selecting “URL” allows you to create an alias that holds one or more URLs. And selecting “URL Table” allows you to create an alias that holds a single URL pointing to a large list of addresses. This can come in handy if you need to import a large list of IP addresses and/or subnets. When you are done entering the configuration data for whichever type you selected, press “Save” to save the changes, and if necessary, press “Apply changes” to apply the changes.


Firewall configuration

An example of using an alias in adding a NAT port forwarding rule.

It is also possible to set up sub-aliases, which potentially make firewall management even easier. For example, if we have three hosts – host1, host2, and host3 – all of which must connect to our FTP server. We could set up a sub-alias called allhosts composed of host1, host2, and host3.

Once you have added an alias, you can use it wherever there is a red text box in the pfSense GUI. Just type the name of the alias and it can be invoked.

That covers firewall configuration of aliases under pfSense. In a future installation, I will cover NAT and firewall rules.


External Links:

Aliases from the pfSense wiki at doc.pfsense.org

Static DHCP Mapping in pfSense

In the previous posting, I covered how to configure basic settings for the DHCP server. In this part, I cover static DHCP mappings. A static DHCP mapping ensures a client is always given the same IP address.

Static DHCP Mapping: First Method

Static DHCP Mapping

Edit static mapping page in the pfSense web GUI.

In order to add static DHCP mappings, browse to Status -> DHCP Leases to view the list of clients who have been issued DHCP requests. Click the “plus” button to add a new static DHCP mapping. The MAC address field will be pre-filled; enter an IP address, which must be outside of the range of dynamically assigned DHCP addresses. Finally, enter a “Hostname” and “Description” if desired. Now press “Save” to save the changes, and “Apply” to apply changes if necessary.

Static DHCP Mapping: Second Method

If no DHCP leases have been issued yet, you may not be able to add static DHCP mappings from Status -> DHCP Leases. Fortunately, there is a second method for adding static DHCP mappings. Browse to Services -> DHCP Server -> Interface (if you followed along with my previous DHCP setup scenario, the interface will be “LAN“). Scroll to the bottom of the page, and you will find “DHCP Static Mappings for this interface.” Click on the Add button to the right. From the Services ->  DHCP -> Edit static mapping page, you can type in “IP Address“, “Hostname” and “Description“, as described above.


Now, when a client connects to your DHCP server, the firewall will first check for a mapping in the “DHCP Static Mappings” table. If the client’s MAC address matches a mapping you specified, then the DHCP server uses the IP address specified in the mapping. If no mappings exists for your client’s MAC address, your DHCP server uses an IP address from its available range. Alternatively, you could have selected “Deny Unknown Clients” under Services -> DHCP Server -> Interface, in which case the client will not get a DHCP lease unless the client is defined in the static mappings table.

Static mappings can always be viewed at the bottom of the DHCP Server configuration page for each interface. All static mappings for a given interface can be managed here. Existing mappings can be modified or removed, and new static mappings can be created (but you will have to enter the MAC addresses manually).


External Links:

Configuring DHCP Server and Dynamic DNS Services

 

DHCP Server Configuration in pfSense

DHCP

pfSense’s DHCP configuration page in the web GUI.

In the first four parts, I covered installation and setup from the LiveCD, general configurations in the web GUI, WAN and LAN configuration, and setting up a DMZ. In this part, I cover setting up a DHCP server within pfSense. In many scenarios, you will want your pfSense router to also act as a DHCP server. In this case, pfSense’s DHCP service will assign an IP address to any client who requests one.

To configure the DHCP server, go to Services -> DHCP Server. Choose the interface on which the DHCP Server will be active (in this case, I chose LAN). Check “Enable DHCP server on LAN interface“. The next option is “Deny Unknown Clients“. Enabling this option ensures that only clients with static DHCP mappings will receive an IP address. DHCP requests from all other clients will be ignored. If you enable this option, you will have to enter the static DHCP mappings at the bottom of the settings page. Static DHCP mappings will be covered in the next article.


Next, at “Range“, choose a range of IP addresses for DHCP clients to use. THe range must be contiguous and within the available range listed above “Range“.

The next setting is “WINS Servers“. WINS stands for Windows Internet Name Service, which is used to map NetBIOS names to IP addresses on Windows-based systems. Unless you are running a WINS server, you can leave this field blank. Next is “DNS Servers“. Here you can specify any DNS server to be automaticaly assigned to your DHCP clients. If left blank, pfSense will automatically assign DNS servers to your clients on one of the following two ways:

  • If DNS Forwarder is enabled, then the IP address of the interface is used. This is because the DNS Forwarder turns the pfSense machine into a DNS server, so the IP of the pfSense machine is assigned to each client.
  • If DNS Forwarder is not enabled, then the DNS servers entered on the “General Setup” page are used. And if “Allow DNS server list to be overridden by DHCP/PPP on WAN” is enabled in “General Setup”, then the DNS servers obtained through the WAN will be used instead.

The next option is “Gateway“. The interface gateway will be provided to clients by default (the static IP of the interface), but it can be overridden here if necessary.The domain name specified in the General Setup is used by default, but you can specify an alternative under “Domain Name”.

An alternative lease time can be specified under “Default Lease Time” for clients who do not request a specific expiration time. For those who request a specific expiration time, you can set an alternative under “Maximum Lease Time“.


CARP-configured systems can specify a fail-over IP address under “Failover Peer IP“. Enabling “Static ARP” will only allow clients with DHCP mappings to communicate with the firewall on this interface. Unknown clients will still receive an IP address from the DHCP server, but communication to the firewall will be blocked. [This differs from “Deny Unknown Clients“, where unknown clients won’t get an IP address.]

Dynamic DNS” enables clients to automatically register with the Dynamic DNS domain specified. Under “Additional BOOTP/DHCP Options” allows you to enter custom DHCP options.

Press the “Save” button to save the changes, and press the “Apply” button to apply changes, if necessary.

By now, your DHCP server should be up and running and ready to accept clients. In the next article, I will cover static DHCP mappings.

DHCP Configuration External Links:

DHCP server documentation at pfsense.org
BOOTP/DHCP options

pfSense Setup: Part Four (Setting up a DMZ)

DMZ

The optional interface configuration page in the pfSense web GUI (which is similar to the WAN and LAN config pages).

In the first three parts, I covered booting and installing pfSense, general configuration options in the pfSense web GUI, and configuring WAN and LAN interfaces (also with the web GUI). In this part, I cover using an optional interface to create a DMZ.

In networking, a DMZ (de-militarized zone) is a place where some traffic is allowed to pass and some traffic is not. The area is separate from the LAN and WAN. In simple terms, a DMZ looks like this in relation to the rest of the network:

Internet traffic | <- DMZ <- LAN

Unsafe Internet traffic is allowed to enter the DMZ, but not the LAN. To configure it, we will need an optional interface.

Configuring the DMZ

From the web GUI, browse to Interfaces -> OPT1. If “Enable Interfaces” isn’t checked, check it. Set “Description” to DMZ. Under “Type”, choose “Static” as the address configuration method. For “IP address”, enter an IP address and the subnet mask (the subnet should be different than the subnet for your LAN). For example, if your subnet for the LAN is 192.168.1.x, it could be 192.168.2.x for the optional interface.

For “Gateway”, leave this option set to “None”. The last two options are “Block private networks” and “Block bogon networks”. Ensure that these two options are unchecked; we don’t want the system to block access from the Internet to the DMZ. Finally save changes by pressing the “Save” button.


Now that the DMZ is configured, your DMZ will allow WAN access. Your DMZ will also allow access from the LAN, but it won’t be permitted to send traffic to the LAN. This will allow devices on the Internet to access DMZ resources without being able to access any of your LAN. This could be useful, for example, for setting up an e-mail or FTP server.

You could now attach a switch to your DMZ interface. This would enable you to connect multiple machines to the DMZ.

External Links:

Setting Up a DMZ in pfSense


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Part Three (WAN and LAN settings)

Ad Links:


pfSense Setup: Part Three (WAN and LAN Settings)

In pfSense Setup: Part Two,  I covered General Settings within the pfSense web GUI. In this part, I cover configuring the WAN and LAN interfaces. There are a number of different options here; fortunately, pfSense makes the job easy on us by creating reasonable defaults. From the pfSense web GUI menu, go to Interfaces -> WAN.

pfSense Setup: WAN Interface Settings

WAN

The WAN settings page in the pfSense web GUI.

The WAN interface provides your connection to the Internet. To access the WAN, you will need a properly-configured WAN interface and an Internet connection. Typically your Internet connection will be through a cable modem provided by your Internet service provider (ISP), but pfSense will support other connection methods as well.

To configure the WAN interface, browse to Interfaces | WAN. Under “General Configuration”, check Enable Interface. You can change the description of the interface (Description).

The next item is “Type”. Here you can choose the interface type. “Static” requires you to type in the WAN interface IP address. “DHCP” gets the IP address from the ISP’s DHCP server, and is probably what you want to select. “PPP” stands for Point-to-Point Protocol, a protocol used for dialup modem connects as well as T-carrier, E-carrier connections, SONET and SDH connections and higher bitrate optical connections. “PPPoE” stands for Point-to-Point Protocol over Ethernet and is used by a number of DSL providers. “PPTP” stands for Point-to-Point Tunneling Protocol and is a method for implementing virtual private networks (VPNs); unless your WAN interface is a VPN you won’t want to choose this option. “L2TP” stands for Layer 2 Tunneling Protocol, a tunneling protocol also used with VPNs.

The next option is MAC address. Typing in a MAC address here allows you to “spoof” a MAC address. The DHCP servers of ISPs assign IP addresses based on MAC addresses. But they have no way of verifying a MAC address, so by typing a different MAC address, you can “force” your ISP’s DHCP server to give you another IP address. Unless you want to spoof your MAC address, you can leave this field blank. MTU stands for maximum transmission unit. Larger MTUs bring greater efficiency but also greater latency. This should probably be left unchanged. MSS stands for maximum segment size, and specifies the largest amount of data pfSense can receive in a single TCP segment. This also should likely be left unchanged.


The next section is different depending on what you selected for the interface type. If you selected “DHCP”, the options will be “Hostname” and “Alias IP Address”. Hostname can be left blank unless your ISP requires it for client identification, and Alias IP address can also be left blank unless the ISP’s DHCP client needs an alias IP address.

The next section is “Private Networks”. Checking “Block private networks” ensures that 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses, as well as loopback addresses (127.x.x.x) are non-routable. This should be left checked under most circumstances. “Block bogon networks” blocks traffic from IP addresses either reserved or not yet assigned by IANA. This should be left checked as well, for obvious reasons.

Save the options and move on to Interfaces -> LAN.

pfSense Setup: LAN Interface Settings

WAN

The LAN settings page in the pfSense web GUI.

Under “General Configuration”, “Enable Interface” should be checked, since unchecking it will prevent the local network from connecting to the router. “Description” allows you to type in a description of the interface.

“Type” allows you to choose an interface type. See the section on WAN settings for an explanation of each of the options. “MAC address” allows you to type in a different MAC address in order to do MAC address spoofing. Again, see the section on WAN interface settings for a more detailed explanation. “MTU” and “MSS” are also explained under WAN settings. “Speed and duplex” allows you to explicitly set speed and duplex mode for the interface; pfSense should autodetect this, so this option should be left unchanged.

If you selected “Static” for the interface, there should be a “Static IP Configuration” section with two options: “IP address” and “Gateway”. With “IP address”, you can change the IP address of the LAN interface (it defaults to 192.168.1.1).

The next section is “Private networks”. The two options are “Block private networks” and “Block bogon networks”. See the section on configuring the WAN interface for detailed explanations of these options.

That does it for WAN and LAN settings. In pfSense Setup: Part Four, I will take a look at setting up an optional interface.


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Ad Links:


pfSense Setup: Part Two

pfSense Setup

The General Setup menu in the pfSense web GUI.

If you followed the setup instructions in pfSense Setup: Part One, pfSense should be running and accessible via the web interface at 192.168.1.1 (or another IP address if you assigned a different one). You should be able to log in using the default username (admin) and password (pfsense).

You will want to change some of the basic settings in General Setup. In the web interface, browse to System | General Setup. At “Hostname”, enter your hostname (the name that will be used to access the machine by name instead of the IP address.

Below this, enter your domain (Domain in the General Settings).

DNS Servers can also be specified. By default, pfSense will act as the primary DNS server. However, other DNS servers may be used, and the place to enter them are in the four boxes for DNS servers.

Check Allow DNS server list to be overridden by DHCP/PPP on WAN. This ensures that DNS requests that cannot be resolved internally are passed on to the WAN and resolved by the external DNS servers provided by your internet service provider.


Next, select the correct time zone; you probably want to leave the default NTP time server as it is.

Next is the theme, which allows you to change the look and feel of the pfSense web GUI. You can probably keep the default theme, pfSense_ng.

pfSense Setup

pfSense’s User Manager, which has been part of the pfSense web GUI since version 2.0.

NOTE: You probably want to change the admin password. You can do this under System -> User Manager. Here you can change the admin password, add new users, and delete users, including the admin.

That’s it for the General Setup within the web GUI. In pfSense Setup: Part Three, I will cover how to configure the WAN and LAN interfaces using the web GUI. Part four will cover configuring optional interfaces.


External Links:

Another useful guide on installing and configuring pfSense (from the iceflatline blog)

Ad Links:


pfSense Setup: Part One

pfSense setup

Initial pfSense menu when pfSense is booted from the CD.

For purposes of this article on pfSense setup, we will assume that you already have a system that meets the minimum specifications to run pfsense (if you have not acquired the components yet or if you’re not sure if your equipment meets the specs, you may want to check this document on pfsense requirements). In a nutshell, however, the minimum hardware requirements are:

  • 100 MHz Pentium CPU
  • 128 MB RAM
  • CD-ROM (for installation or for the LIve CD if you run it off the CD)
  • 1 GB hard drive (if you install it onto a hard drive)
  • Two network interface cards

You can run pfsense from a Live CD or a bootable USB drive.

Download the latest version of pfSense. You can find it at: this FTP site. You probably want to verify the integrity of the download with the MD5 checksum as well. Once this is done, burn the pfSense ISO to a CD or to the media of your choice. You can burn the ISO with the program of your choice; you can do it at the Linux command line with this command:

sudo cdrecord -v speed=20 dev=/dev/sr0 pfSense-LiveCD-2.0.3-RELEASE-i386-20130412-1022.iso

Boot your PC with the pfSense CD. You will be presented with a “Welcome to pfSense!” menu with several options. For this screen, you can choose the default option (Boot pfSense). At this point, you can press “I” to invoke the installer, or continue the LiveCD bootup. If you want to boot the LiveCD, either do nothing or hit “C”, and you can skip the following section. [In this case, continue with pfSense setup here.

pfSense Setup: Installation Onto a Hard Drive

If you hit “I”, then the next screen will be the “Configure Console” menu. Most likely you can choose the “Accept these Settings” option and press [Enter].


The next menu is the “Select Task” menu. There are several options: “Quick/Easy Install”, “Custom Install”, “Rescue config.xml”, “Reboot”, and “Exit”. If you just want to install onto the first hard drive, you can select “Quick/Easy Install” and press [Enter].

The next dialog box is the “Are you SURE” dialog box, which will ask you to confirm your decision to install pfSense by highlighting “OK” and pressing [Enter]. Any data on the first hard drive will be erased in order to install pfSense.

Installation will take a few minutes, as pfSense formats your drive and copies the software to it. Next is the “Install Kernel(s)” screen. Select “Symmetric multiprocessing kernel” and press [Enter].

At the “Reboot” screen, remove the pfSense CD from the CD/DVD drive, highlight “Reboot” and press [Enter].

After the system reboots, you will see the initial “Welcome to pfSense!” menu. Press [Enter] to select the default, or just wait for the pause timer to run out.

pfSense Setup: Further Configuration

[Resume here if you are booting from the LiveCD.]

As pfSense boots, the detected network interface cards will be listed. If all your network cards are not listed, you will want to exit out of the install by hitting [CTRL-C] and selecting “6” on the menu. Otherwise, the next choice will be:

Do you want to set up VLAN’s now [y|n]?

Assuming that this is a basic pfSense setup, you can type [n] and continue.

The next option is:

Enter your LAN interface name

Here, type the name of the network interface card that will be directly connected to your internal network. The next option is:

Enter your WAN interface name

Here, type the name of the network interface card that will be be connected to the internet.

If you installed more than two network cards, then pfSense will prompt you to enter the names of them. For the third card it will prompt:

Enter the Optional 1 interface name

When there are no more network cards to name, you will get the prompt:

Do you want to proceed [y|n]?

Be sure to type [y]. You have completed the first phase of pfSense setup. Now pfSense will be running and fully functional. If you wish, you can connect via the web interface, which pfSense by default assigned an IP address of 192.168.1.1.

Part Two of this article on pfSense setup will go step-by-step through configuring pfSense via the web interface.


The Rest of the Guide:

Part Three (WAN and LAN Settings)

Part Four (Setting Up a DMZ)

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy