Arping with pfSense: Installation and Use


Arping in action under pfSense 2.1.3.

Arping is a computer software tool that is used to discover hosts on a computer network, and is available as a package for pfSense. The program tests whether a given IP address is in use on the local network, and it can get additional information about the device using that address. The utility is similar to the ping utility, which has been discussed on this site in an earlier posting. Whereas ping probes hosts using the Internet Control Message Protocol (a routable protocol that operates on the network layer of the OSI model), arping operates entirely on the data link layer.

There are two popular arping implementations. One of them, part of the Linux iputils suite, cannot resolve MAC addresses to IP addresses. However, the version of this utility that is available as a package for pfSense was written by Thomas Habets and can ping hosts by MAC address as well as by IP address.

Installing Arping

Installing this utility is easy. In the pfSense web GUI, navigate to System -> Packages and click on the “Available Packages” tab. Arping should be on the list. Scroll down to arping and click on the “plus” button on the right side to install arping. The pfSense package installer will ask you to confirm that you want to install arping; press the “Confirm” button. The package installer status window will provide information about the installation and let you know when installation is complete. once it is, arping should appear on the “Installed Packages” tab.

Using Arping

Once arping is installed, you can access arping by navigating to Services -> Arping. From there, you can enter a host ip or MAc address and press the “ARPing” button to ARP ping.

What is it good for, given that the utility essentially replicates the functionality of ping? One case where arping is helpful is when the host you want to ping is firewalled and will not respond to a ping request. Even a firewalled host will respond to ARP.

Another case is when you do not have network layer (layer 3) connectivity to the host you wish to ping (possibly because you want to find out if an IP is taken), but you have data link layer (layer 2) connectivity. Without network layer connectivity, you won’t be able to ping a host, but you can use ARP (since ARP is a data link layer protocol), albeit only for hosts on the local subnet. One note of caution is that on networks employing repeaters that use proxy ARP, the ARP response may be coming from a proxy host and not from the probed target.

External Links:

Arping website for Thomas Habets’ arping

Arping on Wikipedia

Ethernet Fundamentals

EthernetEthernet was developed at Xerox PARC between 1973 and 1974, and was developed as a network technology based on a bus topology. It was originally based on the idea of computers communicating over a shared coaxial cable, and the original specification enabled them to transfer data at a rate of up to 3 Mbps. It remained a largely in-house technology within Xerox until 1979, when Xerox decided to look for partners to help promote Ethernet as an industry standard. They worked with Digital Equipment Corporation (DEC) and Intel to publish what became known as the Digital-Intel-Xerox (DIX) standard. These companies then transferred control of the Ethernet standard to the IEEE, which in turn created the now famous 802.3 committee that continues to control the Ethernet standard. The 802.3 standard initially specified communications over coaxial cable at speeds up to 10 Mbps. Since then, Ethernet has evolved from a single network technology into a standard for a family of network technologies that share the same basic bus topology, frame type, and network access methods.

Ethernet Fundamentals: CSMA/CD and MAC Addresses

Developing a networking standard at the physical level and beyond requires designing a way to send data, a way to determine which computer should use the shared cable at what time, and identify the sending and receiving computers. Ethernet deals with the first two issues by using a process called Carrier Sense Multiple Access with Collision Detection (CSMA/CD), and deals with the third issue by using data frames that contain Media Access Control (MAC) addresses to identify computers on the network. Carrier sense means that each node using the network examines the cable before sending a data frame. If another machine is using the network, then the node will detect traffic on the segment, wait a few milliseconds, and then recheck. If it detects no traffic, the node will send out a frame of data.

Multiple access means that all machines have equal access to the cable. If the line is free, any Ethernet node may begin sending a frame. It does not matter what function the node is performing. Ethernet assigns access on a first-come, first-serve basis, leaving it to other networking technologies (such as pfSense) to discriminate based on what type of traffic it is.

If two computers try to use the cable simultaneously, then a collision occurs, and both of the transmissions are lost. At the same time the network interface is sending a frame, it compares the data being sent with the data received over the cable. If there is a difference, both nodes will detect a collision and immediately stop transmitting. Then each node generates a random number to determine how long it waits to begin trying again. Whichever node generates the lowest number begins retransmission first. The losing node sees traffic on the wire and waits for the wire to be free again before attempting to retransmit.

As you can imagine, any Ethernet node will waste some time dealing with collisions instead of sending data. Moreover, as more nodes are added to the network, the collisions increase. We call a collision domain a group of nodes that hear each other’s traffic. Ethernet standards dictate that within a collision domain, there should be at most 5 segments tied together with 4 repeaters, and no more than 3 populated segments.

Ethernet requires a means of identifying sending and receiving nodes, and its method is to use special 48-bit binary addresses known as MAC addresses. MAC addresses give each network interface card (NIC) a unique address. When a computer sends out a data frame, all other NICs on the collision domain listen to the wire and examine the frame to see if it contains their MAC address. If not, they ignore the frame. If a NIC sees a frame with its MAC address, it accepts the frame and begins processing the data.

One issue with this method is that any device connected to the network cable can potentially capture any data frame transmitted across the wire. Network diagnostic programs can order a NIC to run in promiscuous mode, in which case the NIC will process all frames it sees on the cable regardless of their MAC addresses. Such programs are useful diagnostic tools but also pose a security risk, as anyone with access to the network can potentially intercept every frame on the collision domain.

External Links:

Ethernet at Wikipedia

5-4-3 Rule at Wikipedia

ARP Configuration in pfSense

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is a protocol used for resolution of network layer addresses into link layer addresses. It was defined by RFC 826 in November 1982. ARP is used to convert an IP address to a physical address (the RFC specifies a 48-bit Ethernet address, called the MAC address). The RFC also specifies 10 Mb Ethernet, but ARP applies to all variants of Ethernet, regardless of speed.

To demonstrate how ARP works, let’s assume that we have two systems on our local network: NODE1 ( and NODE2 ( NODE1 wants to send data to NODE2. It knows the IP address, but it does not know the MAC address, and without the MAC address, it cannot make a frame. So NODE1 sends out a broadcast frame to the broadcast address, which is FF:FF:FF:FF:FF:FF. All systems on the network receive and process frames sent to the broadcast address. This frame asks all systems on the local network what the MAC address for IP address is. This frame is called an ARP request. The system with the IP address replies to NODE1 with an ARP reply.

Once NODE1 gets the MAC information for NODE2, it stores this information in a cache. You can see the ARP cache in your Windows or Linux system by typing arp -a (in Unixoid environments, you may have to specify the path; e.g. /sbin/arp -a). In some situations, a computer knows the MAC address, but needs the system’s IP address; in those cases, it can broadcast a Reverse ARP (RARP) command. While ARP is fairly common, few applications require RARP.

ARP is an essential networking component, but it will not work if the target computer is not part of the local network. If NODE1 wanted to send data to a remote computer, it cannot ARP that system, because the Internet does not allow any form of broadcast frames. In this case, NODE1 creates frames with the remote system’s IP addres and runs an ARP to determine the MAC address of the remote system. The sending system’s network interface card (NIC) then creates frames with the gateway’s MAC address. As each frame comes into the gateway, it strips off the frame, leaving the IP packets, which still have the IP address of the remote system as its destination. The gateway then wraps the IP packets in whatever type of frame the outgoing connection needs and sends them toward the intended system.

Viewing the ARP Table and Other Configuration Tips


Viewing the ARP table in pfSense.

To view the pfSense ARP table, navigate to Diagnostics -> ARP Table. The table will contain some, but not necessarily all, of the systems in pfSense’s local network. Only systems that have been the target of an ARP query show up in the table.

Because ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address. An ARP proxy is a system which answers the ARP request on behalf of another system for which it will forward traffic, normally part of the network’s design. Proxy ARP configuration in pfSense has already been detailed in a previous article.

There is one last setting that should be noted. In some cases, you may have two NICs on the same physical network, but on different subnets. Everything works, but you get a lot of messages like this in the system log:

kernel: arp: is on fxp2 but got reply from 00:30:ab:0e:de:a2 on fxp0

You can ignore these error messages, but because of the sheer amount of them, they may hide some of the more important error messages. Fortunately, pfSense has provided an easy way of getting rid of them. Navigate to System -> Advanced, and click on the “Networking” tab. Under “Network Interfaces“, check the “Suppress ARP messages” check box. Now ARP log messages will be suppressed between multiple interfaces on the same broadcast domain, even if they are on separate subnets.

External Links:

Address Resolution Protocol at Wikipedia

Ethernet Address Resolution Protocol at

Switch management on two interfaces at

pfSense Wake-on-LAN

pfSense Wake-on-LAN

Configuring pfSense Wake-on-LAN in pfSense 2.0.

In this article, I cover another interesting pfSense feature: pfSense Wake-on-LAN. As you may know, Wake-on-LAN (WOL) is an Ethernet computer networking standard that allows a computer to be turned on or awakened by a network message. It was introduced in 1997 as a joint project by Intel and IBM. Wake-on-LAN is implemented using a specially designed packet called a magic packet, which is sent to the computer to be woken up. The magic packet contains the MAC address of the destination computer. Powered-downed or turned off computers capable of Wake-on-LAN will contain network devices able to listen to incoming packets in low-power mode while the system is powered down. If a magic packet is received that is directed to the device’s MAC address, the NIC signals the computer’s power supply or motherboard to initiate system wake-up, much in the same way as pressing the power button would do. The magic packet is sent on layer 2 of the OSI model (data link layer) and when sent, is broadcast to all attached devices on a given network, using the network broadcast address; layer 3 (the network layer) is not used. As a result, if you want to use Wake-on-LAN outside your current network, it requires special configuration. pfSense Wake-on-LAN provides the capability of either waking a computer from the local network or the Internet.

Enabling Wake-on-LAN on the Motherboard

In order to use Wake-on-LAN, your motherboard has to have a chipset that includes this feature. Most likely, you will have to enable Wake-on-LAN in your motherboard’s CMOS setup utility first. This is done by rebooting the computer and entering the CMOS setup utility (usually by holding down the Escape key or F2 or F10 during the boot sequence). Wake-on-LAN is usually found within “Power Management Setup” in the main menu of the CMOS setup utility. In any case, enter the appropriate submenu and scroll down until you find Wake-on-LAN (it might be called “WOL”, “Power on PCI”, or something similar), and enable it if it is not enabled already. Then save the settings and quit CMOS setup and reboot. In addition to enabling Wake-on-LAN on the motherboard, you may also have to enable it on your network card. In Windows, you can do this by browsing to the Device Manager (you can get there by navigating to Control Panel -> System, clicking on the Hardware tab, and pressing the Device Manager button, but there are other ways as well). Scroll down to your network card and double-click on it. You should be able to find the Wake-on-LAN feature by clicking on the Advanced tab and looking under Property. In Linux, you can configure your network card using the ethtool utility.

Configuring pfSense Wake-on-LAN

pfSense Wake-on-LAN

Wake-on-LAN can be invoked by clicking on the appropriate MAC address in the table, or entering the MAC address above, or clicking the button to wake all clients at once.

Now you can enable Wake-on-LAN in pfSense. To enable pfSense Wake-on-LAN, first navigate to Services -> Wake on LAN. Once there, press the “plus” button to add a WOL MAC address entry. At “Interface”, select the interface that contains the device. At “MAC address“, enter the device’s MAC address. At “Description“, add an appropriate description and press the “Save” button to save the changes. After you save the changes, it will take you back to the page you were at when you clicked on “Wake On LAN”. Here you will see a table with a list of all the stored clients. Click on the MAC address of any of the stored clients to send a magic packet, or enter the interface and MAC address at the top of the page and click on the “Send” button. In addition, there is a button in the middle of the page that will enable you to wake all the clients at once.

External Links:

Wake-on-LAN in Wikipedia

pfSense Wake-on-LAN at

The Ultimate Wake-on-LAN Guide – contains a lot of useful information, especially about how to enable Wake-on-LAN on your motherboard. It includes a section on pfSense.

pfSense Gateways Explained

pfSense Gateways

Adding and configuring a gateway in pfSense 2.0.

pfSense gateways are relatively easy to add and configure, and pfSense also supports gateway groups, which I will briefly discuss in this article (a more detailed explanation, however, will be the subject of a future article). A gateway is a router interface connected to the local network that sends packets out of the local network. It has both a physical and a logical address. Since it is involved in sending packets to other networks, it operates at the network layer of the OSI Model. When packets are sent over a network, the destination IP address is examined. If the destination IP is within the network, the router can use the Address Resolution Protocol (ARP) table to find the MAC address of the target host and send the packets.

If the destination IP is outside of the network, however, then will not be able to find the MAC address of the target host in its ARP table. The packet will go to the gateway for transmission outside of the network. In this case, the frame header will add the gateway’s MAC address (the gateway operates on the data link layer of the OSI model as well). The gateway is on the same network as host devices and must have the same subnet mask as host devices. Each host on the network uses the same gateway.

Adding pfSense Gateways

pfSense Gateways

Now that we have added our gateway, it shows up on the list.

Unless you are configuring a gateway group, pfSense gateways should not take long to set up. To add a gateway, navigate to System -> Routing. Click the “Gateways” tab if it is not already selected and click the “plus” button to add a new gateway. At “Interface“, select a network interface for the new gateway. At “Name“, specify a name for the gateway (no spaces). At “Gateway“, specify the IP address for the gateway (it must be a valid IP address on the interface). Check the “Default Gateway” checkbox to make this the default gateway. The next checkbox is “Disable Gateway Monitoring“; check this if you want to disable monitoring so pfSense will consider this gateway as always being up. At “Monitor IP“, you can assign an an alternative address to be used to monitor the link. It will be used for the quality Round Robin Database (RRD) graphs as well as the load balancer entries. Leave it blank to use the gateway’s IP address by default. At “Description“, add a description if desired. Finally, press “Save” to save the changes and “Apply Changes” to apply the changes if necessary. Now the new gateway should appear on the list of pfSense gateways at the “Gateways” tab.

There are a number of advanced options for pfSense gateways you can view by clicking the “Advanced” button just below the “Alternative monitor IP” edit box. The “Weight” drop-down box allows you to assign a weight for the gateway when used in a gateway group. Gateway groups are just what their name implies. They group together gateways to act in a coordinated fashion. Increasing the weight of the gateway increases the likelihood it will be used. “Latency thresholds” defines the low and high water marks for latency in milliseconds. Once latency exceeds the high water mark, the gateway will go down. The default latency thresholds are 10 ms and 50 ms. “Packet Loss Thresholds” define the low and high water mark for packet loss in percentage. Again, once packet loss exceeds the high water mark, the gateway goes down. The defaults are 1% and 5%. “Frequency Probe” defines in seconds how often an ICMP probe will be sent. The default is 1 second. “Down” defines the number of bad probes before the alarm will be sent. The default is 10.

Now that the OPT1 is configured as the gateway, packets whose destination is outside of the network will be forwarded to OPT1. There, the frame will be stripped off the packets, leaving the IP packets with the IP address of the destination host. The gateway interface will then wrap the IP packets in whatever type of frame the outgoing connection needs, and sends them toward the target host.

External Links:

Settings for pfSense Gateways at

How to set up a pfSense firewall when the default gateway is on a different subnet

pfSense Gateway Grouping

pfSense Captive Portal: Part Two (RADIUS Server, etc.)


Configuring RADIUS settings in pfSense 2.0.

In part one, I covered configuration of a simple captive portal in pfSense. In this part, I continue explaining some of the more esoteric captive portals settings, including a look at what RADIUS is and configuring RADIUS settings.

At “Pre-authentication redirect URL“, you can set the value of the $PORTAL_REDIRURL$ variable. This variable can be accessed using your custom captive portal index.php page or error pages. At “After authentication Redirection URL“, you can provide a URL that clients will be redirected to instead of the one they initially tried to access after they authenticated.

The next option is the “Disable concurrent logins” check box. If this option is set, only the most recent login per username will be active. Subsequent logins will cause machines previously logged in with the same username to be disconnected. Next is the “Disable MAC filtering” check box; if checked, pfSense will make no attempt to ensure that the MAC address of the client stays the same when they are logged in. The “Enable Pass-through MAC automatic additions” check box will ensure that users of that MAC address will never have to authenticate again if this option is checked. Any authenticated users who access the Internet while this is enabled will have a MAC passthrough entry added. To remove an entry, you either have to log in and remove it manually from the “Pass-through MAC tab” or send a POST from another system to remove it. The “Enable Pass-through MAC automatic addition with username” check box will cause pfSense to save the user name used during authentication. Again, to remove the passthrough MAC entry, you either have to log in and remove it manually from the “Pass-through MAC” tab or send a POST from another system to remove it.

The next check box, “Enable per-use bandwidth restriction“, allows you to restrict each user who logs in to a specified default bandwidth. RADIUS can override the default settings. The default download/upload speeds (in Kbit/s) is specified in the next two edit boxes.

RADIUS Explained

The next section is “Authentication“. Here you have three broad options: “No Authentication“, “Local User Manager/Vouchers” (which was the method user in the configuration example in part one), and “RADIUS Authentication“. Remote Access Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers that connect and use a network service. It is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. If RADIUS is enabled, the user or machine sends a request to a Remote Access Server (RAS) to gain access to a particular network resource using access credentials. The credentials are passed to the RAS device via the link-layer protocol. In turn, the RAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The requests includes access credentials, typically in the form of username and password or security certificate provided by the user. The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP, or EAP. The RADIUS server returns one of three responses: Access Reject (the user is unconditionally denied access), Access Challenge (the server requests more information), or Access Accept (the user is granted access). If the user is granted network access, the Network Access Server (NAS) will send a packet to the RADIUS server indicating it should begin accounting, which will continue until the user’s network access is closed.

Specifying a RADIUS Server

pfSense gives us a variety of options for RADIUS configuration. Under “Primary RADIUS server“, you can enter the IP address, port, and shared secret (a shared secret is a piece of data known only to the parties involved used either for authentication or to feed a key derivation function to produce keys to use for encryption and/or MACing of messages). There is an identical series of edit boxes under “Secondary RADIUS server“. Under “Accounting“, click the “send RADIUS accounting packets” check box to send accounting packets to the primary RADIUS server. At “Accounting port“, you can specify a port (leaving it blank causes the default port, 1813, to be used). At “Accounting updates“, there are three options: [1] no accounting updates; [2] stop/start accounting, and [3] interim update.

Check “Enable RADIUS MAC authentication” to make the captive portal try to authenticate users by sending their MAC address in the username and the password entered in the “Shared secret” edit box to the RADIUS server. “RADIUS NAS IP attribute” allows you to choose the IP of the Network Access Server. Checking “Use RADIUS Session Timeout attributes” will cause clients to be disconnected after the amount of time retrieved from the RADIUS Session-Timeout attribute is reached. “Type” can be set to “default” or “cisco“; if it is set to Cisco, the value of Calling Station-ID will be set to the client’s IP address and the Called station-ID to the clients MAC address, instead of to the MAC address and WAN UP address respectively.

At “MAC address format“, you can change the MAC address format used for the whole RADIUS system. The default is to have the 48-bit address in hexadecimal separated by colons into octets. Checking “Enable HTTPS login” will cause the username and password to be transmitted over an HTTPS connection to protect against eavesdroppers. The next few fields, “HTTPS server name“, “HTTPS certificate“, “HTTPS private key“, “HTTPS intermediate certificate” are parameters related to configuring your HTTPS server.

Changing Default Portal/Error/Logout Pages

Portal page contents” allows you to upload an HTML/PHP file for the portal page. You must include a form with a submit button (name=”accept”), a hidden field with name “rediurl” and value=””, and “auth_user”, “auth_pass” and “auth_voucher” if authentication is enabled. “Authentication error page contents” allows you to upload an error page to display when an authentication error occurs. Finally, “Logout page contents” allows you to upload an HTML/PHP file to display when the logout popup is enabled.

External Links:


How to Set Up a Radius Server on pfSense Using the FreeRadius Package on

Static DHCP Mapping in pfSense

In the previous posting, I covered how to configure basic settings for the DHCP server. In this part, I cover static DHCP mappings. A static DHCP mapping ensures a client is always given the same IP address.

Static DHCP Mapping: First Method

Static DHCP Mapping

Edit static mapping page in the pfSense web GUI.

In order to add static DHCP mappings, browse to Status -> DHCP Leases to view the list of clients who have been issued DHCP requests. Click the “plus” button to add a new static DHCP mapping. The MAC address field will be pre-filled; enter an IP address, which must be outside of the range of dynamically assigned DHCP addresses. Finally, enter a “Hostname” and “Description” if desired. Now press “Save” to save the changes, and “Apply” to apply changes if necessary.

Static DHCP Mapping: Second Method

If no DHCP leases have been issued yet, you may not be able to add static DHCP mappings from Status -> DHCP Leases. Fortunately, there is a second method for adding static DHCP mappings. Browse to Services -> DHCP Server -> Interface (if you followed along with my previous DHCP setup scenario, the interface will be “LAN“). Scroll to the bottom of the page, and you will find “DHCP Static Mappings for this interface.” Click on the Add button to the right. From the Services ->  DHCP -> Edit static mapping page, you can type in “IP Address“, “Hostname” and “Description“, as described above.

Now, when a client connects to your DHCP server, the firewall will first check for a mapping in the “DHCP Static Mappings” table. If the client’s MAC address matches a mapping you specified, then the DHCP server uses the IP address specified in the mapping. If no mappings exists for your client’s MAC address, your DHCP server uses an IP address from its available range. Alternatively, you could have selected “Deny Unknown Clients” under Services -> DHCP Server -> Interface, in which case the client will not get a DHCP lease unless the client is defined in the static mappings table.

Static mappings can always be viewed at the bottom of the DHCP Server configuration page for each interface. All static mappings for a given interface can be managed here. Existing mappings can be modified or removed, and new static mappings can be created (but you will have to enter the MAC addresses manually).

External Links:

Configuring DHCP Server and Dynamic DNS Services


pfSense Setup: Part Three (WAN and LAN Settings)

In pfSense Setup: Part Two,  I covered General Settings within the pfSense web GUI. In this part, I cover configuring the WAN and LAN interfaces. There are a number of different options here; fortunately, pfSense makes the job easy on us by creating reasonable defaults. From the pfSense web GUI menu, go to Interfaces -> WAN.

pfSense Setup: WAN Interface Settings


The WAN settings page in the pfSense web GUI.

The WAN interface provides your connection to the Internet. To access the WAN, you will need a properly-configured WAN interface and an Internet connection. Typically your Internet connection will be through a cable modem provided by your Internet service provider (ISP), but pfSense will support other connection methods as well.

To configure the WAN interface, browse to Interfaces | WAN. Under “General Configuration”, check Enable Interface. You can change the description of the interface (Description).

The next item is “Type”. Here you can choose the interface type. “Static” requires you to type in the WAN interface IP address. “DHCP” gets the IP address from the ISP’s DHCP server, and is probably what you want to select. “PPP” stands for Point-to-Point Protocol, a protocol used for dialup modem connects as well as T-carrier, E-carrier connections, SONET and SDH connections and higher bitrate optical connections. “PPPoE” stands for Point-to-Point Protocol over Ethernet and is used by a number of DSL providers. “PPTP” stands for Point-to-Point Tunneling Protocol and is a method for implementing virtual private networks (VPNs); unless your WAN interface is a VPN you won’t want to choose this option. “L2TP” stands for Layer 2 Tunneling Protocol, a tunneling protocol also used with VPNs.

The next option is MAC address. Typing in a MAC address here allows you to “spoof” a MAC address. The DHCP servers of ISPs assign IP addresses based on MAC addresses. But they have no way of verifying a MAC address, so by typing a different MAC address, you can “force” your ISP’s DHCP server to give you another IP address. Unless you want to spoof your MAC address, you can leave this field blank. MTU stands for maximum transmission unit. Larger MTUs bring greater efficiency but also greater latency. This should probably be left unchanged. MSS stands for maximum segment size, and specifies the largest amount of data pfSense can receive in a single TCP segment. This also should likely be left unchanged.

The next section is different depending on what you selected for the interface type. If you selected “DHCP”, the options will be “Hostname” and “Alias IP Address”. Hostname can be left blank unless your ISP requires it for client identification, and Alias IP address can also be left blank unless the ISP’s DHCP client needs an alias IP address.

The next section is “Private Networks”. Checking “Block private networks” ensures that 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses, as well as loopback addresses (127.x.x.x) are non-routable. This should be left checked under most circumstances. “Block bogon networks” blocks traffic from IP addresses either reserved or not yet assigned by IANA. This should be left checked as well, for obvious reasons.

Save the options and move on to Interfaces -> LAN.

pfSense Setup: LAN Interface Settings


The LAN settings page in the pfSense web GUI.

Under “General Configuration”, “Enable Interface” should be checked, since unchecking it will prevent the local network from connecting to the router. “Description” allows you to type in a description of the interface.

“Type” allows you to choose an interface type. See the section on WAN settings for an explanation of each of the options. “MAC address” allows you to type in a different MAC address in order to do MAC address spoofing. Again, see the section on WAN interface settings for a more detailed explanation. “MTU” and “MSS” are also explained under WAN settings. “Speed and duplex” allows you to explicitly set speed and duplex mode for the interface; pfSense should autodetect this, so this option should be left unchanged.

If you selected “Static” for the interface, there should be a “Static IP Configuration” section with two options: “IP address” and “Gateway”. With “IP address”, you can change the IP address of the LAN interface (it defaults to

The next section is “Private networks”. The two options are “Block private networks” and “Block bogon networks”. See the section on configuring the WAN interface for detailed explanations of these options.

That does it for WAN and LAN settings. In pfSense Setup: Part Four, I will take a look at setting up an optional interface.

The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Ad Links:

© 2013 David Zientara. All rights reserved. Privacy Policy