PFSense Install

Written By Stephen Dick

Current version of PFSense on this guide - 2.6.0 Community Edition

This is a guide on how we are going to install PFSense which is a firewall appliance, router, has applications to download with such as Suricata for an Intrusion Detection System, Intrusion Prevention System, can monitor your battery backups, create Access Control Lists, configure a VPN such as OpenVPN, WireGuard and much more to keep your environment safe from potential threat actors and other free features

Note - Please ensure to have the right amount of NICs for your environment, adding more NICs with the after installation can cause issues with the firewall appliance. You will also notice random characters and words when installing the appliance sometimes, that’s fine, it’s normal during initial install as you see in my guide due to my battery backups.

Requirements

  • 8 GB SSD or HDD

  • 512 MB of RAM

  • 8 GB or more for a USB bootable media for initial installation

  • Laptop or desktop with ethernet connectivity that is able to connect to the device for the web user interface for configuration

  • Balena etcher for creating the bootable image of PFSense

    • https://www.balena.io/etcher

In this guide, we will be doing the following below

  • Installing PFSense from a USB bootable media on a Dell Poweredge R610

  • Creating a new administrator user with permissions and disabling the built in default administrator user

  • Creating a DHCP lease pool to have IP addresses dynamically assigned (automatically) to devices within the subnet

  • Creating a new administrator user and disabling the default admin account

  • Disabling HTTP and redirecting through HTTPS for encrypted traffic to the web user interface

  • Configuring Firewall rules to allow all traffic inbound and outbound throughout your network and communicate with the internet

    • Testing functionality within the PFSense web interface

  • Viewing system logs

Installing PFSense

Go to https://www.pfsense.org/download/

Select the following in the drop down menu

  • Architecture - AMD64 (64-bit)

  • Installer - DVD Image (ISO)

  • Mirror - Austin, TX, USA (or your choice of location)

Navigate to https://www.balena.io/etcher and download the imaging software

Select the PFSense iso image you wish to flash with

Select the USB media device to create a bootable image (This will delete all data within the USB)

Then select Flash!

Once the USB is finished flashing, insert the USB bootable media into the device you wish to install PFSense onto and select the key to open the boot menu

Select the USB media we create ensuring it’s UEFI mode, otherwise it may cause problems if it’s in either Legacy or BIOS boot mode from experience

Upon entering the initial screen, wait until it starts the installation process automatically after the 7 second countdown

When prompted, press enter to accept the EULA

Select Install pfSense

Select your keyboard layout of choice

Choose Auto (ZFS) Guided Root-on-ZFS for disk partitioning

Choose to Proceed with Installation

Select the Stripe – No Redundancy for Virtual device type

Select the mfid0 LSI MegaRAID SAS array for the ZFS Configuration

This is your SSD/HDD you have installed

Select Yes to confirm the ZFS configuration

It will begin extracting the files for the pfSense appliance

Select No when the initial installation is finished to not open a shell menu

Remove the USB bootable media and reboot the device

pfSense will boot into the initial setup screen.
Configure the appliance with the following configuration

Select option 2

Choose the 2nd option for interface LAN (bce1)

Configure the LAN interface as 192.168.1.254/24 as the upstream gateway

Press Enter for none for the IPv4 LAN gateway

Press Enter for none for a LAN IPv6 address configuration

Select y to enable the DHCP server on LAN

This will later be changed within the web UI

Configure the start and ending address range for DHCP from the following below on the LAN (bce1) interface

Use your preferred DHCP lease pool if needed

Start address – 192.168.1.1

End address – 192.168.1.250

Ensure to revert to HTTP as the webConfigurator protocol by confirming with y

Navigate to http://192.168.1.254/ within the web browser

Web UI login page

Log into the device with the following credentials

Username - admin

password - pfsense

You will be welcomed with the pfSense Setup wizard, if you are not prompted to the setup wizard, navigate to the top of the web page, select System > Setup Wizard

When prompted with the welcome to pfSense software screen, select Next until you are prompted with the General Informaiton section

Use the following information or customize to your preferences

Hostname - homelab

Domain - homelab.home

NOTE - Ensure the Domain name is not something that exists, this can cause issues, if you have your own Domain, you may use that, for this instance, you can just make one up like I have done

Primary DNS Server - 9.9.9.9 (This is Quad 9, you may also use google if you would like)

Setting up the NTP server information (Network Time Protocol)

Time server hostname - can leave as is or change to a known NTP server

Timezone - America/Chicago

Configuring the WAN interface as a DHCP as I don’t have a statically assigned IPv4 address with my ISP (Internet Service Provider)

Selected Type - DHCP

RFC 1918 Private Networks - Unchecked

Block bogon networks - Unchecked

Changing my IPv4 address because in the future after segmenting and implementing proper firewall practice, I would like to have the ability to VPN into my home network to avoid possible IP conflicts

LAN IP Address - 192.168.70.1

Subnet Mask - 24

This will give an available IPv4 address range from 192.168.70.1 - 192.168.70.254

Create a strong admin password, although the default admin account will be disabled for best security practices and system logging integration to know who access’ each section and modifies PFSense in any way

Select reload and this will refresh the webpage and redirect you into the web user interface, if this doesn’t happen, statically assign your device with the proper configuration

IP address - 192.168.70.5 (or any IPv4 address between 192.168.70.2 - 192.168.70.253

Subnet mask - /24 or 255.255.255.0

Default Gateway - 192.168.70.1

Congratulations! You have successfully setup the initial configuration of PFSense for the web browser!

Although we aren’t finished to have internet connectivity as of yet, so let us continue

Select Finish on the next prompt and you will be presented with the PFSense Dashboard

Welcome screen of initial startup and logging in as the default admin

Creating a new user account and disabling the built-in administrator user

At the top of the screen, select the System drop down and choose User Manager

Within the Users directory, select Add

Create a new user with the following information, example username will be sdickTEST

Username - sdickTEST

password - password_here

confirmed password - password_here

Full name - Stephen Dick TEST ADMIN

Group membership - select the group admins and select Move to ‘Member of’ list

select to save the configuration

Afterwards, logout of the default admin account and sign into your new user account

After signing into your new administrator user, select the System drop down menu and select User Manager

Select the pencil icon to edit the admin user

Select the option This user cannot login and save the configuration of this user account

This will completely disable this account to prevent login

This is for system logging and to know who is doing what within the network

Creating a DHCP Lease pool and creating a new network

Navigate to the Interfaces drop down menu and select Assignments

You will be greeted with a page of your NICs

Select the next available NIC and add it to your active interfaces (bce2 for this example)

Save the interface assignment page

Select the drop down menu for Assignments and choose the NIC you just made (bce2 or OPT3 in this case)

Configure the General Configuration with the following information

Enable - Check this box to enable the interface

Description - Any name you want displayed, in this case its Test_DHCP for me

IPv4 Configuration Type - Static IPv4

Speed and Duplex - autoselect (or your proper NIC speec)

IPv4 address - 192.168.100.1

  • This allows you to access the PFSense webUI from this interface at the 192.168.100.1 IP address (Can be disabled as well in settings)

Save and apply changed to the interface

Select the Services drop down and choose DHCP Server

Select the interface you have created (TEST_DHCP in my example)

Configure with the following settings

  • Enable - Enables the DHCP

    • Dynamically (automatically) assigns an IP address within the DHCP reservation pool provided

  • Deny unknown clients - Allow all clients

    • Can manually add clients via the IP address and MAC address to be allowed on all or only this interface

  • Range From - 192.168.100.50

  • Range To - 192.168.100.80

    • This will only dynamically assign an IP address to a device that is connected to this interface within the range of 192.168.100.50 - 192.168.100.80 by the DHCP server

In my environment, I don’t have any of the following settings currently, I leave these blank

  • Additional Pools

  • Servers

  • OMAPI

Configure the following below for the DHCP Server in Other Options

Gateway - 192.168.100.1

  • This IP address is found to what you have labeled this interface IP address. 192.168.100.1 in my example

Time format change - Checked

  • Changes the DHCP display lease time from UTC to local time from the NTP server

Save the configuration of the DHCP server and it will now dynamically assign IP address within the 192.168.100.0/24 subnet

Redirecting the web UI traffic from HTTP to HTTPS

Select the System drop down and choose the Advanced setting

Within the webConfigurator menu, use the following configuration

Protocol - HTTPS (SSL/TLS) for encrypted web traffic

Max Processes - 2

WebGUI redirect - Disable webConfigurator redirect rule

WebGUI Login Autocomplete - Ensure this is disabled, enable if you want autocomplete the username and password fields

WebGUI login messages - Ensure this is unchecked to know when going back to logs, you know who logs in at what time in case of a potential threat actor logs in using compromised credentials of a user account

Anti-lockout - This will be used on the LAN interface to not be locked out of the webConfigurator

Configure Secure Shell with the following

Secure Shell Server - Enabled

SSHd Key Only - Password or Public Key, can be configured when you add a public key to your user account and can require both or just the public key

SSH port - Left blank for port 22 as default

Configure the Login Protection with the following

Threshold - 10

Blocktime - 600 (or your choice of time in seconds)

Detection time - 1800 (or your own choice in seconds)

Configure the following for the Serial Communications port on your device if applicable

Serial Terminal - Enabled (or disable, your choice)

Serial Speed - 38400 (or lower, your choice, has many different speeds)

Primary Console - Serial Console

Password protect the Console - Checked for security practices

Navigate to the System drop down and select General Setup

This will be the setup portion of the cosmetics for your dashboard, but if you would like to modify or add additional services for DNS, you may through this section per interface

This is the webConfigurator for cosmetic purposes and can be configured like mine, or you can completely customize to your liking

Theme - pfSense

Top Navigation - Scrolls with page

Hostname in Menu - Default (No hostname)

Dashboard Columns - 4

Interface sort - Disabled to not be alphabetical

Associated Panels Show/Hide - All disabled

Login page color - Violet

Login hostname - Show hostname on login banner

Save the configuration

Now we will configure the DHCP for the WAN interface to have internet connectivity upstream from PFSense to your Modem

Navigate to the Interfaces drop down and select WAN or it may be named such as bce0

Configure the General Configuration with the following

Enable - Check this to enable the WAN interface

Description - Labeled name as WAN

IPv4 Configuration Type - DHCP (Dynamically assigns an IP address from the Modem)

IPv6 Configuration Type - None as I have no IPv6 configuration, change to your network configuration if needed

Speed and Duplex - Can leave as default, otherwise change to your known NIC speed

For the Reserved Networks section, configure the following

Block private networks and loopback addresses - Unchecked

Block bogon networks - Unchecked

Save the configuration and apply the changes to pfSense

Allowing all traffic through the firewall

Lets begin now to assign firewall rules so you can communicate to the internet now, if you just want to gain access to the internet without any actual rules and want this to act as a router only, you can configure the following below.

Best practices is to deny all and allow specific ports and services throughout your network from source to destination

If you wish to do specific protocols for your firewall, note your asset management and allow those specific protocols from one subnet to another (Source to Destination)

The Firewall rules work from top of the rules to the bottom per interface

If you see any issues along the way, please note the bottom of this page as you can view the firewall system logs and troubleshoot why it may be an issue

Below is Allowing all traffic throughout the network per interface

At the top of the web user interface, select Firewall then select Rules

Within the Firewall rules page, select the interface you would like to add a rule to, for example I will be using my WAN interface in this example and will also be configuring the LAN interface as well

Lets explain what each of these options do

The Add with an up arrow allows a user to create a new firewall rule that brings it to the top of the firewall rules for this interface

The Add with a down arrow allows a user to create a new firewall rule that brings it to the bottom of the firewall rules for this interface

The Delete option, deletes the selected firewall rule (If the interface allows it)

The Save button will save the rules and configuration you have modified and must apply changes as well

The Separator option is cosmetic and helps separate your firewall rules from one another to help organize what each of them function as

Each firewall rule can also be moved, edited copied, disabled or deleted

The Anchor icon allows you to move the rule one step up or you may drag and drop where ever you would like

The Pencil icon allows you to edit the current rule

The two squares on top of one another icon allows you to copy the current configuration of the firewall rule and can copy the configuration if needed to other interfaces with minimal work

The circle with a line through it simply disables the firewall rule

The trash can deletes the firewall rule

The square with a check mark allows you to enable the firewall rule once again after being disabled

Lets begin by creating our first rule as an allow any any rule set

Select the Add with an up arrow to add a firewall rule to the WAN interface at the top of the firewall rules

Configure the WAN interface firewall rule with the following

Action - Pass

  • Allows the traffic within your network

Interface - WAN

Address Family - IPv4

Protocol - Any

Source - any

Destination - any

Log - Checked

  • I like this being checked because I want to know what is happening throughout my network and it’s best practice as well. It’s recommended to create a separate server to save system logs instead of locally stored

Save the configuration and it will show the firewall created at the top of the list

Newly made firewall rule from above

Now let’s do the same for the LAN interface

Select the LAN interface located to the right of the WAN above the firewall rules

Select the Add button with the up arrow and create the following configuration below

Action - Pass

Interface - LAN

Address Family - IPv4

Protocol - Any

Source - LAN net

Destination - any

Log - Checked (if applicable)

Testing functionality with allow all rules in firewall

Now we will test for internet connectivity on the PFSense firewall appliance upstream to the Modem

Navigate to the top of the web page

Select Diagnostics > Ping

Configure the interface with the following

Hostname - 8.8.8.8

  • This is the DNS server IP address for Google, can use any public IP address if you would like

IP Protocol - IPv4

Source Address - LAN

  • This is my R610 running PFSense currently on the LAN interface

Maximum number of pings - 5

Seconds between pings - 1

We now see all packets were successfully transmitted out to Google properly without any packet loss

Now we will do the same for the local host (My desktop)

Hostname - 8.8.8.8

  • This is the DNS server IP address for Google, can use any public IP address or URL if you would like

IP Protocol - IPv4

Source Address - Localhost

  • This is my R610 running PFSense currently on the LAN interface

Maximum number of pings - 5

Seconds between pings - 1

Success! We can now properly browse the internet without any issues

Viewing system logs

Now we will locate the Firewall logs if any issues occur within the network you are using

Navigate to Status > System Logs

Within the System logs for the Firewall, we can see all the web traffic within our network

Action - Shows what happened to the web traffic for the packet

Time - When the event has occured in accordance to the firewall rule and system log information

Interface - Location of the interface where the web traffic is produced

Rule - Identifier of the firewall rule of which the packet was logged

Source - Source IP address of where the firewall rule has been logged

Destination - Destination IP address of where the firewall rule has been logged

Protocol - Shows what was used for communication throughout the network, UDP, ICMP from my previous test of functionality

Stephen Dick