Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
pfSense Easy Configuration Guide for HP t620 Plus

pfSense Simple Home Configuration - 2.4.3 / 2.4.4

Starting from Scratch

This is my personal guide for installing pfSense. Hope you find it useful. I made these notes to capture the details of my "install from scratch" to ensure I didn't miss important details. Also, I'm trying build my network with discrete "disposable" components that make the system mutable and less rigid. It does not cover installing any packages like Squid or Suricata as that's way beyond the scope of a basic, functional install.

I migrated from an environment that was at various times running Tomato Toastman 1.28 or Asuswrt-Merlin on Netgear and ASUS routers across four "access points" (one always acting as the firewall/gateway, the rest as APs). It was OK pre-gigabit, but had roaming problems, and I was using large Wifi routers with most of the features disabled. Also, I found that I could easily swamp the network and tank VOIP and Wifi Calling without even trying. The only fix was to throttle everything by using Bandwidth Limiter or QOS, both of which exacted about a 50% penalty on my bandwidth, and (worst of all) the QOS implementations in all of these firmwares (including the stock firmware) has been known to be buggy since the beginning of time.

With this, I eliminated four (very ugly) $100-200 routers all with between three and six goofy antennas, and I replaced them with a pfSense firewall/router (this guide), a Unifi Cloudkey, and four attractive/invisible Unifi APs (1 x UAP-AC-PRO, 2 x UAP-AC-LITE, 1 x UAP-AP-InWall). Update: CloudKey v1 kept having issues with the database filling up and crashing. Now running the Unifi controller on its own dedicated box and I have no data retention concerns.

The Build

I used an HP t620 plus Thin Client acquired on eBay for less than $80 US (note the 'plus' for the PCI slot where you will install a low-profile network card. This makes an excellent machine for a pfSense firewall/router because it can easily handle WAN speeds up to a gigabit and many dozens of clients. Mine came equipped as follows:

AMD GX-420CA SOC with Radeon(tm) HD Graphics, 4 GB RAM, 16GB SSD  

The HP t620 plus includes one RTL8111 gigabit port and I added two additional ports in the PCI slot via a low-profile SYBA 2-port Ethernet PCIe also with Realtek RTL8111 chips (from Amazon). pfSense seems to support just about anything, including USB ethernet dongles, but not reommended for "production" builds.

The Install

  1. Prepare pfSense USB stick version
  2. Reset the BIOS to defaults.
  3. Boot to the USB stick (labeled UEFI PMAP USB on my machine)
  4. Install pfSense on ZFS using all the default options

Congratulations! You now have an enterprise-grade firewall ready to configure.

The Console Configuration

Reboot and wait for the pfSense console menu, then configure the ethernet Interfaces:

*** Welcome to pfSense 2.4.3-RELEASE (amd64) on pfsense ***

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 1

Valid interfaces are:

re0     00:13:3b:0f:e3:xx   (up) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab
re1     00:13:3b:0f:e3:xx   (up) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab
re2     00:8c:fa:d5:d2:xx (down) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab

Tip: use auto-configuration if you don’t know the port labels (re0, re1, etc). Do not plug in the ethernet cable until after you select 'a', and then watch for the link lights before you hit 'enter' to detect. I assign mine as follows (already plugged in as noted by 'up' above):

WAN (wan) -> re0
LAN (lan) -> re1

Confirm, then wait 1-2 minutes for menu to return. If everything goes well, you will eventually see something like this:

pfSense - Serial: MXL4431xxx - Netgate Device ID: c7884a54adec049bxxxx

*** Welcome to pfSense 2.4.3-RELEASE (amd64) on pfsense ***

 WAN (wan)       -> re0        -> v4/DHCP4: 71.204.xx.xx/22
                                  v6/DHCP6: 2001:558:6011:7a:1dd4:45b:xxxx:xxxx/128
 LAN (lan)       -> re1        -> v4: 192.168.1.1/24
                                  v6/t6: 2601:c2:c100:85b4:213:3bff:xxxx:xxxx/64

Installation defaults:

  • WAN is configured as an IPv4 and IPv6 DHCP client (seen above with ISP IPs)
  • LAN is configured with a static IPv4 address of 192.168.1.1/24
  • All incoming connections to WAN are blocked
  • All outgoing connections from LAN are allowed
  • IPv4 DHCP Server is enabled
  • The DNS Resolver (unbound) is enabled
  • The DNS Forwarder (dnsmasq) is disabled
  • SSH is disabled
  • pfSense WebGUI is running on port 443 using HTTPS

Refer to the pfSense docs for additional details about the default configuration.

The Web Configuration

Connect a PC or laptop to the LAN port. IP address will pull via DHCP - likely 192.168.1.100.
Login to pfSense via your browser - https://192.168.1.1

  • username = admin
  • password = pfsense

The Setup Wizard (9 steps)

Step Settings
1. Netgate Global Support none
2. General Information hostname = pfsense
domain = blank typically
Primary DNS Server = 1.1.1.1
Secondary DNS Server = 9.9.9.9
Override DNS = unchecked
3. Time Server Information Timezone = yours
4. Configure WAN Inferface No changes
5. Configure LAN Interface No changes
6. Set Admin GUI password Enter a secure password (twice)
7. Reload Configuration Do it
8. Reload in Progress OK
9. Wizard Completed Congratulations!

Aside: I have a domain registered with afraid.org that I use in Step 2 that gets connected via DDNS below. Use whatever you prefer for DNS servers.

Bogons Be Gone - May not apply to versions newer than 2.4.3

If you see alerts in the upper right hand corner, click to see if it’s this:

There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [18]: table <bogonsv6> persist file "/etc/bogonsv6"

I get four errors like this on my install. You can correct by increasing Firewall Maximum Table Entries (in my case, from 200000 to 400000) under System / Advanced / Firewall & NAT

Recommended: Turn on SSH (Secure Shell) so you can access the console in case your web configuration gets hosed. This should generate two alerts: "pfSense is creating missing SSH keys", and "pfSense has completed creating SSH keys".

First Things First

Backup your configuration.

Diagnostics / Backup & Restore / Backup & Restore

Click the button labeled Download Configuration as XML and save to your local computer. Now you have a backup of the 'base' configuration that you can restore at any time if you get into a jam. Note that pfSense also saves quite a few configurations under the Config History, but if you are making many changes, your base install will fall off the bottom very quickly. For instance, each step in the wizard creates a backup, and running through it three times will basically clear out all auto-backups. Update: Auto Configuration Backup (Gold feature) is now free to all.

Take a look at the Config History to see the diffs of all the changes made so far. This is a great way to learn the basics of the pfSense default install. Now, go start configuring the system to your liking.

Installation Complete

Seriously, make a backup. Don't change anything else until you have downloaded a copy of the configuration to this point. If you don't have a backup, I guess you can always start back at the top.

My configuration

The following section documents all the critical things I have to remember to do, so that the things I expect to "just work" actually do. Some of these were learned painfully, by trial and error, or from other kind souls on the interwebs.

DDNS, DHCP, and Static IPs

  • Setup DDNS under Services / Dynamic DNS / Dynamic DNS Clients
    • DNS-o-matic for me, which updates afraid.org for my domain
  • Add ICMP ping "pass" rule to firewall for any line monitoring services like DSLReports (don’t forget to hit apply)
  • Add static DHCP mappings (if you start from the Status / DHCP Leases page, you can pick up the MAC address from your target hosts automatically). I leave my DHCP range as 192.168.1.100-199, and configure the following:
    • my Unifi wireless access points and controller on 192.168.1.2-9
    • my NAS, Plex, and cameras all have static IPs in clusters of 10 IPs so they are easy to find.

I eventually assign all "regular" devices on my LAN to static IPs in various ranges of 10 IPS so that I can easily spot new devices. I don't bother anymore if the device doesn't NEED to be static.

Packages and VLANs

Don't install any packages or add VLANs. This was my problem after my first install. I added VLANs, and Squid, and Suricata, and Snort... just wait. You are a much greater danger to yourself at this stage, so focus on learning the menus and reviewing the logs. Are you even sure that your configuration works with your existing devices? Give it a couple of days. Go check your home automation, your Rokus, your car, your doorbell, etc.

Tip: Remember that backup I said you needed to download? This would be a good time to do that (again), because, if you are like me, you're going to screw with some setting along the way that will break your firewall, and you won't know what you did.

I only run four packages on my install:

  1. bandwidthd (for stats).
  2. darkstat (because you can never have enough stats).
  3. (nmap) looks up MAC addresses in the OUI database, so instead of only a list of MACs in the DHCP leases, you'll see the MAC and in parantheses you'll see the manufacturer (if available).
  4. pfBlockerNG-devel (this is an execise for the reader, and I actaully don't run it anymore).

Port Forwarding and NAT

Since all unsolicited incoming traffic is blocked by default (default deny), to allow requests from outside your LAN, you must open external ports. The external port can be what ever you like, and the internal redirect port will be the port a given app/service is listening on (examples: web = 80, synology = 20000, plex = 32400).

for example, for web server, under Firewall / NAT / Port Forward, add HTTP (Port 80) Forward to the WAN interface.

  • Set Destination port range to HTTP
  • Set Redirect target IP to the static IP of your web server configured above

To browse to your web server by external name/IP, you can configure System / Advanced / Firewall & NAT to handle traffic originating inside your LAN and loop back to the appropriate server.

  • NAT Reflection mode for port forwards: NAT + Proxy
  • Enable NAT reflection for 1:1 NAT: checked
  • Enable auto outbound NAT for reflection: checked

Tip: Don't forget to clear your browser cache or hold Ctrl and click Refresh to clear/refetch the http/https redirects.

Tip: Test external access with Online Port Checker.

Plex Settings

Plex needs to connect directly for maximum performance, because if it goes through their relay service, performance is limited to 1-2mbps. Quoting Plex: "Enabling Remote Access to connect your server with plex.tv works best with modern routers that support uPnP or NAT-PMP auto-configuration."

  • Enable uPnP in Services / UPnP & NAT-PMP. If you refuse to use UPnP, add plex = 32400 to port forwards as above.
    • I know there is some hysteria among network engineers over uPnP, but if you've gotten this far, then certainly you can keep an eye on Status / UPnP & NAT-PMP to see if anything unexpected shows up. UPnP makes NAT liveable because a ton of network apps don't work right without a straight pipe back to a particular machine, which tempts people to open too many ports, put their machines in DMZ, or turn off their firewall entirely. Plex, Xbox Live, Skype, Slingbox, any P2P client, and many others will use uPnP to improve your performance. This saves you the trouble of configuring each one, but if you want to lock it down at some point, start with the uPnP table as a good place to look for your possible port forwards. I use ACLs to restrict what internal machines can request ports to be opened.

* Disable DNS Rebind Check under System / Advanced / Admin Access to avoid Plex "Indirect" relay connection from LAN

  • You do not need to disable DNS Rebind Check. Instead, under Services / DNS Resolver / General Settings add:

    private-domain: "plex.direct"

More informarion at How to Use Secure Server Connections and Plex Media server is on an “Indirect” connection

Final Notes

The remaining headache for me was with the services and apps on my media server. If you are changing your LAN IP range or use apps that have IP filtering or IP "allow" lists, check those. For example, for Sonarr I had to run it as "Administrator" again (as recommended after first install) and/or go into Advanced settings for the Windows firewall to edit the Inbound rules and explicitly allow NzbDrone, even though it worked fine before. Not sure which change fixed it. Also affected were Tautulli, and my Unifi configuration.

I also found the excessive Default Deny logging tedious, so to reduce log noise under System Logs / Settings, I un-checked Log packets matched from the default block rules in the ruleset.

Done

That's it. This captures pretty much everything I had to do to switch to pfSense and get it configured so that everything that "worked yesterday" still works and keeps the family happy.

Recommended Bonus Tips

If you are running on a modern processor, under System / Advanced / Miscellaneous turn on:

  • Cryptographic Hardware (my AMD Jaguar-based CPU supports both AES-NI and BSD cryptodev)
  • Thermal Sensor appropriate for your CPU

Finally a solution to QOS/BufferBloat (but I'm not actually using it because gigabit is so hard to saturate)

  • This supposedly solves QOS problems with Bufferbloat and line saturation. pfSense 2.4.4 Short Topics. Thank you to NetGate and Jim Pingle in the August 2018 Hangout for explaining how to set up the Firewall / Traffic Shaper / Limiters to manage the inbound and outbound queues to use CoDel/FQ_CODEL. I set my WANDown and WANUp to 95% of my full un-throttled speed as measured by https://speedtest.net and https://dslreports.com.

In Closing

When I started this journey, I was unable to find a straightforward reference to get me from scratch to working.

Even though your setup may not be exactly like mine, I hope this helps you begin your pfSense journey.

Thanks

Thanks to Lawrence Systems, Everyday Techie, Calvin Bui, LinOxide, and the NetGate forums.

@jducifuentes
Copy link

jducifuentes commented Aug 3, 2019

Hi, I have a T620 also and planned to use as a light 24/7 server but I cannot set any bios option to prevent power always on. I mean, if power losses the little server stays off....

@deergod1
Copy link
Author

deergod1 commented Sep 6, 2019

I definitely have mine set to power on after power loss. When I plug it in, it just comes on like an appliance. I wish I could grab you a screen shot, but I can't bring down the firewall right now. If you check the manual, look on page 38:

Power-On Options Allows you to set:
● POST messages (enable/disable). Default is disabled.
● After Power Loss (off/on/previous state). Default is Power off. Setting this option to:
◦ Power off—causes the computer to remain powered off when power is restored.
◦ Power on—causes the computer to power on automatically as soon as power is restored.
◦ Previous state—causes the computer to power on automatically as soon as power is
restored, if it was on when power was lost.

@jducifuentes
Copy link

jducifuentes commented Sep 6, 2019

Hi, thanks for your reply.... I finally got it but I have to edit bios parameter by cmd line..... Don't know why my bios menus haven't that option...

Here is more info:
https://developers.hp.com/hp-client-management/doc/bios-configuration-utility
https://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html

@deergod1
Copy link
Author

deergod1 commented Sep 8, 2019

Good workaround! Thanks!

@datawithdev
Copy link

datawithdev commented Sep 10, 2019

@deergod1 Did you use any networking switch between pfsense and your access points? If yes, which one?
If not, you only had 2 NICs available for LAN so math wouldn't add up for access point, NAS, plex and controller.

@deergod1
Copy link
Author

deergod1 commented Sep 23, 2019

Nothing gets past the Ho Sale. My topology is AT&T Gateway - pfSense - Unifi Switch 24 - Crab Nebula - The rest of the universe.

I'm using about half of the 24 ports to run all over my hous... I'm mean... the galaxy. I also have a Unifi Switch 8 150W to power various trap doors, worm holes, APs, and cameras. I might have been slightly more right-sized to get a US‑24‑250W, but here we are. I also have several dumb switches at endpoints to allow plugging in ethernet cables behind TVs and stuff at gigabit speed. I should really draw up a diagram some day.

I would not recommend using pfSense as a simple switch. Save it for the hard stuff like alternate LAN segments or DMZ.

@deergod1
Copy link
Author

deergod1 commented Sep 23, 2019

This dude did a decent job. Needs an equipment refresh, but I like his style:
https://www.reddit.com/r/SmartThings/comments/cuq615/what_does_my_router_see/exz27pp?utm_source=share&utm_medium=web2x

@kcallis
Copy link

kcallis commented Nov 5, 2019

I remember when I was looking at the t620 that there was a diffence between the Rev A and the Rev B motherboard versions. It was a long time ago, so Xi you know what the diffence is between the two. Secondly, does the t620 have aes-ni so we can move beyond 2.4?

@deergod1
Copy link
Author

deergod1 commented Nov 12, 2019

I remember that distinction, but it did not influence my purchase, and does not affect the installation as far as I know. I can't even tell you which Revs I have. I am definitely running Hardware crypto (aesni and cryptodev).

@Grrby
Copy link

Grrby commented Feb 15, 2020

Hi,
My t620 is not able to boot without monitor attached to Display Port (red flashing and annoying beeping). I can not find any relative option in BIOS.
Do you have any idea how to change this behavior?

@deergod1
Copy link
Author

deergod1 commented Mar 19, 2020

Interesting. I have a t620, t730, and t820 but none complain about missing monitors. I usually reset the bios to defaults and make changes from there. Without rebooting my firewall, which has no monitor, my best guess is Disable the PCI Express Slot and the PCI SERR# and PCI VGA Palette Snooping. I also disable all the other stuff I'm not using like Parallel Ports and Audio. Did you get it worked out?

@Grrby
Copy link

Grrby commented Mar 19, 2020

Problem solved by updating BIOS. You can read bios history.

History
Version 2.19

  • AMI and HP copyright information updated.
  • Adds the patch for BB sound pops out after power on when thin client do not connect monitor.

@deergod1
Copy link
Author

deergod1 commented Mar 20, 2020

Nice. Thanks for the update!

@nicksweb
Copy link

nicksweb commented Jul 28, 2020

Thanks for your help with this guide, I'm about to buy my PFSense HP T620 today also. Can you confirm the fan is no-louder than say a usual desktop PC? Like say an Optiplex (Dell) or a HP Desktop? Just don't want something as loud as a switch!

@datawithdev
Copy link

datawithdev commented Jul 28, 2020

@danesparza
Copy link

danesparza commented Dec 16, 2020

Thinking about building one of these myself.

Just wanted to note that the Unifi CloudKey gen1 sucked (I tried and returned it as well -- and ran a standalone controller server for several years). I recently got a Gen2 cloudkey and it's been a dream. Quiet, simple and efficient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment