Gonzalo Rivero
I am Gonzalo, I live in Salta, a city located in the NW of Argentina. I play the guitar and a little harmonica. I also like to bike.

How to install pfSense for routing and firewall

In this tutorial I will show you how to setup a basic router and firewall with pfSense. With some practice and reading you could turn later on an advanced router with the firewall capabilities you could need on your network.

pfSense is an special distribution of FreeBSD intented for network routing and firewall and is rapidly becoming the world’s most trusted open source network security solution…. at least they said so, speaking only for me: I trust in this solution.

Network scenario

I made up a network for this article, consisting in:

  • A mini LAN with a pc and a WebServer that we’ll enable access only to the http service from the outside world
  • Another computer where we will install pfSense for routing data packages between that LAN and the internet. This computer will have two network cards.
  • My own PC will live on the internet
diagram showing the network in this article
My fictitious network

But… there is a but: I’m working at home today and I don’t have 4 computers. I have VirtualBox, so I’m setting up everything on my PC and the other pc, the router and the webserver are actually virtual machines.

Installing

You can download the community edition from here: https://www.pfsense.org/download/ you can choose for a CD image to burn on a physical disk or an USB image depending or what you have.

On the main site you can also pay for commercial support or appliances, get access to the documentation, etc.

how to install pfSense for routing and firewall
1st boot from CD rom

In that bootloader screen, just hit the Enter key, let pfSense boot and wait until you see the following Copyright notice

screenshot of copyright notice
Copyright and distribution notice

After reading and accept that notice, choose Install on the next screen. The other two options are useful if you had a pfsense already running that you need to recover because something is messed up.

screenshot of pfsense main installer screen
Rescue shell and Recover config.xml are very usefull options if things get messed up

The next screen is for keyboard distribution. Mine is spanish.

choose your keyboard distribution
My keyboard is in spanish

Having choosen your keyboard, the next screen will ask you on how to partition your disk.

It’s not supposed to do some dual boot on routers, in fact you shouldn’t reboot or shutdown your router because your network depends on them. That’s why I always choose one of the automatic options. BIOS is intended for older computers, and turning into a firewall it’s a good way to give your old computer another opportunity. UEFI is for not that newer computers.

partition your disks. Choose automatic
Disk partition

After partition your disk, the installation begin to copying files:

Installing pfSense
Copying files…

At last, the installer will give you two opportunities to do some manual modifications if you need. Then remove your install media and reboot.

about to finish the pfsense install
Last change to do manual changes before rebooting
pfsense installed!

Configuring your router

Console options

Reboot and this is the main screen you’ll see:

main pfSense configure screen

But before going to your browser and start configuring, let’s take a look at some of the options showed:

  • Assign interfaces: ideally you’ll have a network card per network, in this option you say which card is for the LAN, which one for the WAN/Internet, which one for the DMZ if you have one or which one for any other kind of lan you could have. Also you can setup VLANs here if you need it.
  • Set interface(s) IP address: here you setup the LAN address. Actually you can also set an IP for every network card, but you can do it later in the webConfigurator after setting up the LAN.
  • Reset webConfigurator password: if you forgot the admin password this is the place you can go. It’s very important to have a good physical security (if they can hack your system but have physical access they still can hack your system… with an axe or something)
  • Reset to factory default: use this option to start over as in a fresh install
  • Enable Secure Shell(sshd): use this to enable remote shell access
  • Restore recent configuration: If for some reason you reinstall your pfsense, here you can load your backups
  • Restart PHP-FPM: on my first pfSense installation several years ago, I only had a very old and tiny PC, one they I left the traffic graph screen opened and went home; the next day I’ve lost access to pfsense via web because php-fpm has hanged. I was about to reboot the whole slow-to-boot system but I saw this option before.

webConfigurator

After setting your LAN IP address (in my case 192.168.1.1) go to https://IP with your browser and the following warning will popup:

ssl warning you can ingnore
ssl warning

That warning it’s because secure http (https) is enabled, but pfsense it’s using self-signed SSL certificates. It’s ok because is a new installation you can trust. Later you can buy your own certificate and install on your pfSense. Click on Advanced and tell to firefox that you want to load that site anyway.

pfsense webConfigurator login screen
default password for admin user: pfsense

Login with the user admin and default password pfsense, later the system will show you a warning to change that password. When you log in for the first time, the system will launch a wizard to help you in the initial configuration

screenshot of 1st login to webconfigurator. A wizard will help you
pfSense initial configuration wizard.

We know what we are doing, so I clicked on the pfSense logo top of the screen and cancel the wizard. The main screen with a Status dashboard is showed. If your screen is large enough it will look like this:

main pfSense screen
pfSense main Status/Dashboard screen

PfSense will display a single column layout if your screen it’s smaller:

main pfsense small screen
The same as before, but in a smaller screen

Remember to change your admin password in the user manager (click the link on the warning).

Network cards configuration:

We skipped the wizard, and on the first console screen we only choose to configure the LAN IP address. We should configure the WAN now and any other card we have installed. Go to Interfaces → WAN to do it.

screenshot of network card configuration

Fortunately to get a dynamic IP from a DHCP server it’s the default option in pfsense and also the default option from internet providers (at least in my town), the other options are:

  • Static IP. This should be provided by your ISP or your Network Administrator
  • DHCP. As I said before, the default and most common option now.
  • PPP. Point-to-Point Protocol, was used on the older days of the internet when you needed a modem and a telephone line.
  • PPPoE. PPP over Ethernet. Used in ADSL connections. You also needed a modem and a telephone line, but you get better bandwidth and you can still use the phone. At least in my city they didn’t sell it anymore, but the ones that exist still work
  • PPTP: an obsolete VPN protocol
  • L2TP: another tunneling protocol for support vpns

Scroll down to the bottom and click save to configure your interface. If you have another kind of connection method, scroll down (not to the bottom) and fill out the information required. In example, if you chose static ip you will need your IP address, the netmask, and though isn’t mandatory you can add your gateway now. Fill the required information and click save.

Note: the last two options are for blocking private networks, loopback address and bogon networks. It’s a good idea to keep those blocked.

Proceed with the other network cards if need it, they have the same options.

DHCP Server

In a small network (say, with less than 10 hosts) it’s easy to configure every one of them manually with an static IP; but when the network grows, sooner than later it will become a mess. You wouldn’t know what IP addresses are free to add a new host, if you have to renumber your network you need to go re-configuring manually machine by machine.
It’s easier to set up a DHCP server and when you plug a host in the network, that host will ask for network parameters and the dhcp will answer with an available ip, the netmask, dns information, default gw. You can also leave some address fixed to certain hosts so they always get the same ip address.

I know I only have two hosts on my made-up network, but setting a dhcp service isn’t difficult at all, so go to Services → DHCP Server and enable on your LAN interface:

screenshot of dhcp server
Two mouse clicks later you have a DHCP server

It’s actually three mouse clicks later (and one scroll): I forgot to tell that you need to scroll to the bottom of that page and click on Save.

The fine print

But you should do some fine tunning before.

As is it now, anybody who connect a device to your network will get the parameters to connect, this is fine if you have a lot of guests but is not if you only want authorized devices. So, in the Deny unknown clients you should choose Allow know clients from only this interface.

Even if you permit unknown clients, if you are going to let some ip addresses fixed, you need to reduce the range of the available leases so you can assign ip from outside that range to fixed hosts. Scroll down to Range and put from and to ip as small as you want. I will go from 192.168.1.128 to 192.168.1.245

Static IP

Some times you want a host get always the same IP. Sometimes you need that. The way to do it is to associate the hardware address (MAC) of the network card to an IP. In this example I’m need my server to get always the same IP, because it’s a server it should always be reachable in the same address. The server is the same I’ve used in the moodle tutorial, and I need to get the mac with the ifconfig command:

in red: hardware and ip addresses
ifconfig output

With the mac-address 08:00:27:f4:a1:91 I can add an static mapping in pfSense. Scroll down to DHCP Static Mappings for this Interface and click + Add

adding a fixed ip
adding an static IP

You will see a lot of parameters you can configure, but the most important are: MAC Address, Client identifier and IP address. The only mandatory is a valid MAC Address. Let get back to the server and restart the network with /etc/rc.d/netif restart:

new fixed ip
The server gets the IP we want

Now the address for our server is 192.168.1.2.

There are a lot more things you can set on a dhcp server, but for now is enough.

Basic firewall rules

By now, we have a router that connects to the internet and provides correct network parameters to the hosts on your network so they can connect to the internet also. On the next section I will explain why the hosts can connect (or if they can’t how to do it). And on the last section I will explain how the internet can connect to some hosts (i.e. the webserver)

Outbound traffic

NAT stands for Network Address Translation. You probably saw in the press that the IP addresses are practically exhausted. One solution was to assign some IP ranges for private networks. We are using one of them 192.168.1.x/24 in our LAN network, maybe in your work or your house you have the same network segment because any body can use it. But to browse the internet the data packages must travel both ways: inside and outside your network.

Let’s say you want to visit wikipedia from your PC with IP 192.168.1.148, how wikipedia knows to what 192.168.1.148 send the page you requested if anybody can use this address? the answer is that wikipedia doesn’t know and didn’t care… because the request came from the public ip (public ip are unique) of your router, so wikipedia send the page to your router and your router is responsible to know that that request was made from your computer. This process is called NAT: when you make a request to the internet, your router will replace the From: field in the package with his own public ip address and send it; when the answer comes it replace the To: field in the package with your private ip address.

By default pfSense include that NAT rule for your LAN interface, but if you have more interfaces you need to add and outbound rule, you can find this rules or add new ones on Firewall → NAT → outbound:

outbound nat is autoconfigured by defautl
For this article Automatic it’s ok

Inbound traffic

What about inbound rules? you want your webserver available and reachable from the internet, you have also one connection to internet with one IP available that this pfSense is already using. Also, you don’t want to expose all your server, only the http service. What you need is some port forwarding. Go to Firewall → NAT → Port forwarding and add the following rule:

configuring inbound nat
inbound nat

In interface choose WAN because the requests will came through this interface. Protocol is TCP, but some services are UDP and some others needs both. Destination: WAN address because the requests will be sent to the public IP address of your router. Destination port range: HTTP or 80 (80 is http port), but it can be any port just you shouldn’t use the well-known ports (you can, but don’t). Redirect target IP: 192.168.1.2 this is the IP we’ve fixed to our server. Redirect target port: HTTP. And, if isn’t, choose in Filter association rule: Add associated filter rule. because pfSense filters all the incoming traffic by default. Click save and apply and your rules lists will look like this:

summary of our nat rule

Now we can test it. Go in your browser to http://wan.ip/ and your webserver will respond:

the simplest webpage ever
we need a better website 😉

A couple of things to notice:

  • The inbound NAT was made only to the http(80) port, and pfSense is running in https(port 443). If you have a real website, you’ll probably want to run in secure https. You should move pfSense to another port, to enter pfsense on your new port the url will look something like https://ip.addr:new-port/
  • You noticed the “public” ip I’m using, 192.168.100.136, isn’t public at all. In fact, as my two networks are physically (I mean, virtually) connected I’ve should solved it with static routes and avoid NAT. But I did it this way to introduce those concepts.

Last words

This is like the 0.few% of things you can do with pfSense. You can setup things like proxy cache, VPN (with ipsec, OpenVPN, …), Captive Portals, Vlan, balance multiple WAN connections, IPv6 and the list goes and goes. You can even pay for official commercial support and someone will help you or do it for you.
I always finish my articles with a link to the documentation, so here it is: https://docs.netgate.com/pfsense/en/latest/ . If you are new to the computer networks world, I recommend you to start reading Networking concepts.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x