pfSense Installation

How to Install, Configure and Secure pfSense: The Complete Guide

M.T

3 min read
How to Install, Configure and Secure pfSense: The Complete Guide

Introduction

pfSense is an open-source firewall and router software based on FreeBSD. It offers enterprise-grade features such as advanced routing, VPN, traffic shaping, and stateful firewalling. Thanks to its flexibility and active community, pfSense is one of the most trusted solutions in network security.

This guide walks you through the installation, initial configuration, and essential security hardening of pfSense.

1. Prerequisites

Before proceeding, ensure you have the following:

  • A dedicated physical or virtual machine with at least 2 NICs (WAN and LAN)
  • pfSense ISO image downloaded from pfsense.org
  • A USB stick (for physical install) or a virtual machine on platforms like VirtualBox, Proxmox, VMware, etc.
  • Internet access for package installation and updates

2. Installing pfSense

a. Create Bootable Installation Media

  • Use tools like Rufus (Windows) or balenaEtcher (Linux/macOS) to write the ISO image to a USB drive.
  • Insert the USB into your firewall machine and boot from it.

b. Run the Installer

  • Choose "Install pfSense" in the boot menu.
  • Select your preferred keymap (usually "default") and press Enter.
  • Choose Auto (UFS) for guided disk partitioning.
  • Wait for the installation to complete.
  • Reboot and remove the USB.

c. Assign Interfaces

  • After boot, pfSense will ask you to assign interfaces.
  • Typically, the first is WAN and the second is LAN.
  • Once assigned, the LAN interface will be set to a default IP of 192.168.1.1/24.

3. Initial Setup and Web Configuration

a. Access the Web GUI

  • Connect a PC to the LAN port.
  • Open a browser and navigate to: https://192.168.1.1
  • Accept the SSL warning.
  • Login with:
    • Username: admin
    • Password: pfsense

b. Run the Setup Wizard

  • Set a new admin password.
  • Define hostname, domain, and DNS servers (e.g. 1.1.1.1, 8.8.8.8).
  • Select WAN type (DHCP, Static IP, PPPoE, etc.).
  • Confirm or adjust LAN IP settings.
  • Choose update mirror and time server.
  • Save and reload.

4. Basic Configuration

a. System Update

  • Go to System > Update and install all available updates.

b. Configure DHCP Server

  • Navigate to Services > DHCP Server.
  • Enable the service for LAN.
  • Define IP range (e.g., 192.168.1.100 to 192.168.1.200).

c. Configure Firewall Rules

  • Go to Firewall > Rules > LAN.
  • By default, LAN has allow-all outbound access.
  • Add custom rules to control access between networks.

d. Enable SSH Access (Optional)

  • Go to System > Advanced > Admin Access.
  • Enable Secure Shell and optionally change SSH port.

e. Configure DNS

  • Use DNS Resolver (default) or switch to DNS Forwarder.
  • Configure upstream DNS servers in System > General Setup.

f. Install Packages

  • Go to System > Package Manager.
  • Recommended: pfBlockerNG, ntopng, Snort, Suricata.

5. Security Hardening

a. Change Default Credentials

  • Change default password during wizard.
  • Go to System > User Manager to create new users with limited access.

b. Restrict Web GUI Access

  • Go to System > Advanced > Admin Access.
  • Limit access to specific IP ranges.
  • Enable HTTPS only with a valid certificate.

c. Lock Down WAN Interface

  • Go to Firewall > Rules > WAN.
  • Default rule blocks all inbound traffic.
  • Only open specific ports (e.g., 443 for VPN) if necessary.

d. Disable Unused Services

  • Turn off services like UPnP, SSH, and FTP if not used.
  • Go to Services section and disable unnecessary items.

e. Enable Logging and Monitoring

  • Go to Status > System Logs.
  • Enable notifications via email or Telegram under System > Advanced > Notifications.

f. Regular Backups

  • Go to Diagnostics > Backup & Restore.
  • Automate config backup to remote storage or manually export.

6. Advanced Add-ons and Features

a. VPN Setup

  • Built-in support for OpenVPN, IPsec, and WireGuard.
  • Use VPN > OpenVPN Wizard for guided setup.

b. Multi-WAN Load Balancing

  • Go to System > Routing > Gateways.
  • Add multiple WANs and set failover priorities.

c. Traffic Shaping

  • Navigate to Firewall > Traffic Shaper.
  • Use wizards to set QoS rules based on bandwidth.

d. Captive Portal

  • Set up under Services > Captive Portal.
  • Use for guest access and authentication with vouchers or RADIUS.

e. High Availability

  • Use CARP to assign virtual IPs.
  • Synchronize settings using pfSync and XMLRPC Sync.

Conclusion

pfSense is a robust and flexible firewall solution suitable for both small and large-scale deployments. With proper installation, thoughtful configuration, and security best practices, it can protect your network with precision and efficiency.

For ongoing protection, keep pfSense updated, monitor logs, and back up configurations regularly.

Read more

Threat Hunting Operations: Integrating Proactive Detection into Traditional SOC Workflows

Threat Hunting Operations: Integrating Proactive Detection into Traditional SOC Workflows

In today's rapidly evolving threat landscape, Security Operations Centers (SOCs) face unprecedented challenges in detecting sophisticated threats that routinely bypass traditional security controls. While alert-driven processes remain essential, organizations increasingly recognize that reactive approaches alone are insufficient against advanced persistent threats (APTs), insider threats, and fileless malware. Threat