pfSense Simple Home Configuration - 2.4.3 / 2.4.4
Starting from Scratch
This is my personal guide for installing pfSense. Hope you find it useful. I made these notes to capture the details of my "install from scratch" to ensure I didn't miss important details. Also, I'm trying build my network with discrete "disposable" components that make the system mutable and less rigid. It does not cover installing any packages like Squid or Suricata as that's way beyond the scope of a basic, functional install.
I migrated from an environment that was at various times running Tomato Toastman 1.28 or Asuswrt-Merlin on Netgear and ASUS routers across four "access points" (one always acting as the firewall/gateway, the rest as APs). It was OK pre-gigabit, but had roaming problems, and I was using large Wifi routers with most of the features disabled. Also, I found that I could easily swamp the network and tank VOIP and Wifi Calling without even trying. The only fix was to throttle everything by using Bandwidth Limiter or QOS, both of which exacted about a 50% penalty on my bandwidth, and (worst of all) the QOS implementations in all of these firmwares (including the stock firmware) has been known to be buggy since the beginning of time.
With this, I eliminated four (very ugly) $100-200 routers all with between three and six goofy antennas, and I replaced them with a pfSense firewall/router (this guide), a Unifi Cloudkey, and four attractive/invisible Unifi APs (1 x UAP-AC-PRO, 2 x UAP-AC-LITE, 1 x UAP-AP-InWall). Update: CloudKey v1 kept having issues with the database filling up and crashing. Now running the Unifi controller on its own dedicated box and I have no data retention concerns.
I used an HP t620 plus Thin Client acquired on eBay for less than $80 US (note the 'plus' for the PCI slot where you will install a low-profile network card. This makes an excellent machine for a pfSense firewall/router because it can easily handle WAN speeds up to a gigabit and many dozens of clients. Mine came equipped as follows:
AMD GX-420CA SOC with Radeon(tm) HD Graphics, 4 GB RAM, 16GB SSD
The HP t620 plus includes one RTL8111 gigabit port and I added two additional ports in the PCI slot via a low-profile SYBA 2-port Ethernet PCIe also with Realtek RTL8111 chips (from Amazon). pfSense seems to support just about anything, including USB ethernet dongles, but not reommended for "production" builds.
- Prepare pfSense USB stick version
- Reset the BIOS to defaults.
- Boot to the USB stick (labeled UEFI PMAP USB on my machine)
- Install pfSense on ZFS using all the default options
Congratulations! You now have an enterprise-grade firewall ready to configure.
The Console Configuration
Reboot and wait for the pfSense console menu, then configure the ethernet Interfaces:
*** Welcome to pfSense 2.4.3-RELEASE (amd64) on pfsense *** 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option: 1 Valid interfaces are: re0 00:13:3b:0f:e3:xx (up) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab re1 00:13:3b:0f:e3:xx (up) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab re2 00:8c:fa:d5:d2:xx (down) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab
Tip: use auto-configuration if you don’t know the port labels (re0, re1, etc). Do not plug in the ethernet cable until after you select 'a', and then watch for the link lights before you hit 'enter' to detect. I assign mine as follows (already plugged in as noted by 'up' above):
WAN (wan) -> re0
LAN (lan) -> re1
Confirm, then wait 1-2 minutes for menu to return. If everything goes well, you will eventually see something like this:
pfSense - Serial: MXL4431xxx - Netgate Device ID: c7884a54adec049bxxxx *** Welcome to pfSense 2.4.3-RELEASE (amd64) on pfsense *** WAN (wan) -> re0 -> v4/DHCP4: 71.204.xx.xx/22 v6/DHCP6: 2001:558:6011:7a:1dd4:45b:xxxx:xxxx/128 LAN (lan) -> re1 -> v4: 192.168.1.1/24 v6/t6: 2601:c2:c100:85b4:213:3bff:xxxx:xxxx/64
- WAN is configured as an IPv4 and IPv6 DHCP client (seen above with ISP IPs)
- LAN is configured with a static IPv4 address of 192.168.1.1/24
- All incoming connections to WAN are blocked
- All outgoing connections from LAN are allowed
- IPv4 DHCP Server is enabled
- The DNS Resolver (unbound) is enabled
- The DNS Forwarder (dnsmasq) is disabled
- SSH is disabled
- pfSense WebGUI is running on port 443 using HTTPS
Refer to the pfSense docs for additional details about the default configuration.
The Web Configuration
Connect a PC or laptop to the LAN port. IP address will pull via DHCP - likely 192.168.1.100.
Login to pfSense via your browser - https://192.168.1.1
- username = admin
- password = pfsense
The Setup Wizard (9 steps)
|1. Netgate Global Support||none|
|2. General Information||hostname = pfsense|
|domain = blank typically|
|Primary DNS Server = 220.127.116.11|
|Secondary DNS Server = 18.104.22.168|
|Override DNS = unchecked|
|3. Time Server Information||Timezone = yours|
|4. Configure WAN Inferface||No changes|
|5. Configure LAN Interface||No changes|
|6. Set Admin GUI password||Enter a secure password (twice)|
|7. Reload Configuration||Do it|
|8. Reload in Progress||OK|
|9. Wizard Completed||Congratulations!|
Aside: I have a domain registered with afraid.org that I use in Step 2 that gets connected via DDNS below. Use whatever you prefer for DNS servers.
Bogons Be Gone - May not apply to versions newer than 2.4.3
If you see alerts in the upper right hand corner, click to see if it’s this:
There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: Cannot allocate memory - The line in question reads : table <bogonsv6> persist file "/etc/bogonsv6"
I get four errors like this on my install. You can correct by increasing
Firewall Maximum Table Entries (in my case, from 200000 to 400000) under
System / Advanced / Firewall & NAT
Recommended: Turn on SSH (Secure Shell) so you can access the console in case your web configuration gets hosed. This should generate two alerts: "pfSense is creating missing SSH keys", and "pfSense has completed creating SSH keys".
First Things First
Backup your configuration.
Diagnostics / Backup & Restore / Backup & Restore
Click the button labeled
Download Configuration as XML and save to your local computer. Now you have a backup of the 'base' configuration that you can restore at any time if you get into a jam. Note that pfSense also saves quite a few configurations under the
Config History, but if you are making many changes, your base install will fall off the bottom very quickly. For instance, each step in the wizard creates a backup, and running through it three times will basically clear out all auto-backups. Update: Auto Configuration Backup (Gold feature) is now free to all.
Take a look at the Config History to see the diffs of all the changes made so far. This is a great way to learn the basics of the pfSense default install. Now, go start configuring the system to your liking.
Seriously, make a backup. Don't change anything else until you have downloaded a copy of the configuration to this point. If you don't have a backup, I guess you can always start back at the top.
The following section documents all the critical things I have to remember to do, so that the things I expect to "just work" actually do. Some of these were learned painfully, by trial and error, or from other kind souls on the interwebs.
DDNS, DHCP, and Static IPs
- Setup DDNS under
Services / Dynamic DNS / Dynamic DNS Clients
- DNS-o-matic for me, which updates afraid.org for my domain
- Add ICMP ping "pass" rule to firewall for any line monitoring services like DSLReports (don’t forget to hit apply)
- Add static DHCP mappings (if you start from the
Status / DHCP Leasespage, you can pick up the MAC address from your target hosts automatically). I leave my DHCP range as 192.168.1.100-199, and configure the following:
- my Unifi wireless access points and controller on 192.168.1.2-9
- my NAS, Plex, and cameras all have static IPs in clusters of 10 IPs so they are easy to find.
I eventually assign all "regular" devices on my LAN to static IPs in various ranges of 10 IPS so that I can easily spot new devices. I don't bother anymore if the device doesn't NEED to be static.
Packages and VLANs
Don't install any packages or add VLANs. This was my problem after my first install. I added VLANs, and Squid, and Suricata, and Snort... just wait. You are a much greater danger to yourself at this stage, so focus on learning the menus and reviewing the logs. Are you even sure that your configuration works with your existing devices? Give it a couple of days. Go check your home automation, your Rokus, your car, your doorbell, etc.
Tip: Remember that backup I said you needed to download? This would be a good time to do that (again), because, if you are like me, you're going to screw with some setting along the way that will break your firewall, and you won't know what you did.
I only run four packages on my install:
- bandwidthd (for stats).
- darkstat (because you can never have enough stats).
- (nmap) looks up MAC addresses in the OUI database, so instead of only a list of MACs in the DHCP leases, you'll see the MAC and in parantheses you'll see the manufacturer (if available).
- pfBlockerNG-devel (this is an execise for the reader, and I actaully don't run it anymore).
Port Forwarding and NAT
Since all unsolicited incoming traffic is blocked by default (default deny), to allow requests from outside your LAN, you must open external ports. The external port can be what ever you like, and the internal redirect port will be the port a given app/service is listening on (examples: web = 80, synology = 20000, plex = 32400).
for example, for web server, under
Firewall / NAT / Port Forward, add HTTP (Port 80) Forward to the WAN interface.
Destination port rangeto HTTP
Redirect target IPto the static IP of your web server configured above
To browse to your web server by external name/IP, you can configure
System / Advanced / Firewall & NAT to handle traffic originating inside your LAN and loop back to the appropriate server.
- NAT Reflection mode for port forwards: NAT + Proxy
- Enable NAT reflection for 1:1 NAT: checked
- Enable auto outbound NAT for reflection: checked
Tip: Don't forget to clear your browser cache or hold Ctrl and click Refresh to clear/refetch the http/https redirects.
Tip: Test external access with Online Port Checker.
Plex needs to connect directly for maximum performance, because if it goes through their relay service, performance is limited to 1-2mbps. Quoting Plex: "Enabling Remote Access to connect your server with plex.tv works best with modern routers that support uPnP or NAT-PMP auto-configuration."
- Enable uPnP in
Services / UPnP & NAT-PMP. If you refuse to use UPnP, add plex = 32400 to port forwards as above.
- I know there is some hysteria among network engineers over uPnP, but if you've gotten this far, then certainly you can keep an eye on
Status / UPnP & NAT-PMPto see if anything unexpected shows up. UPnP makes NAT liveable because a ton of network apps don't work right without a straight pipe back to a particular machine, which tempts people to open too many ports, put their machines in DMZ, or turn off their firewall entirely. Plex, Xbox Live, Skype, Slingbox, any P2P client, and many others will use uPnP to improve your performance. This saves you the trouble of configuring each one, but if you want to lock it down at some point, start with the uPnP table as a good place to look for your possible port forwards. I use ACLs to restrict what internal machines can request ports to be opened.
- I know there is some hysteria among network engineers over uPnP, but if you've gotten this far, then certainly you can keep an eye on
* Disable DNS Rebind Check under
System / Advanced / Admin Access to avoid Plex "Indirect" relay connection from LAN
You do not need to disable DNS Rebind Check. Instead, under Services / DNS Resolver / General Settings add:
The remaining headache for me was with the services and apps on my media server. If you are changing your LAN IP range or use apps that have IP filtering or IP "allow" lists, check those. For example, for Sonarr I had to run it as "Administrator" again (as recommended after first install) and/or go into Advanced settings for the Windows firewall to edit the Inbound rules and explicitly allow NzbDrone, even though it worked fine before. Not sure which change fixed it. Also affected were Tautulli, and my Unifi configuration.
I also found the excessive Default Deny logging tedious, so to reduce log noise under
System Logs / Settings, I un-checked
Log packets matched from the default block rules in the ruleset.
That's it. This captures pretty much everything I had to do to switch to pfSense and get it configured so that everything that "worked yesterday" still works and keeps the family happy.
Recommended Bonus Tips
If you are running on a modern processor, under
System / Advanced / Miscellaneous turn on:
- Cryptographic Hardware (my AMD Jaguar-based CPU supports both AES-NI and BSD cryptodev)
- Thermal Sensor appropriate for your CPU
Finally a solution to QOS/BufferBloat (but I'm not actually using it because gigabit is so hard to saturate)
- This supposedly solves QOS problems with Bufferbloat and line saturation. pfSense 2.4.4 Short Topics. Thank you to NetGate and Jim Pingle in the August 2018 Hangout for explaining how to set up the
Firewall / Traffic Shaper / Limitersto manage the inbound and outbound queues to use CoDel/FQ_CODEL. I set my WANDown and WANUp to 95% of my full un-throttled speed as measured by https://speedtest.net and https://dslreports.com.
When I started this journey, I was unable to find a straightforward reference to get me from scratch to working.
Even though your setup may not be exactly like mine, I hope this helps you begin your pfSense journey.