Uncategorized

How to Configure a pfSense Firewall from Scratch

How to Configure a pfSense Firewall from Scratch
Photo by Pixabay on Pexels

How to Configure a pfSense Firewall from Scratch

pfSense is a powerful, open-source firewall and routing platform based on FreeBSD. It offers enterprise-grade features at no cost, making it an ideal choice for small businesses, home labs, and organizations looking to secure their networks without breaking the bank. This comprehensive guide will walk you through configuring a pfSense firewall from scratch, covering everything from initial installation to advanced security configurations.

Table of Contents

Understanding pfSense and Its Benefits

pfSense transforms standard x86 hardware into a dedicated firewall and router with features typically found in expensive commercial solutions. It includes stateful packet filtering, network address translation (NAT), VPN capabilities, traffic shaping, and intrusion detection systems. Organizations worldwide trust pfSense for protecting sensitive data and managing network traffic efficiently.

The platform’s web-based interface makes configuration accessible even for those new to network security, while its advanced features satisfy experienced administrators. Whether you’re protecting a home network or managing enterprise infrastructure, pfSense scales to meet your needs.

Hardware Requirements and Preparation

Before installing pfSense, ensure your hardware meets the minimum requirements. At minimum, you’ll need a system with at least 1GB of RAM, 8GB of storage, and a compatible CPU supporting AES-NI for modern encryption. For production environments, 2GB RAM and 16GB storage provide better performance and room for logging.

Network Interface Cards

Your pfSense box requires at least two network interface cards (NICs): one for the WAN (internet) connection and one for the LAN (internal network). Intel-based NICs offer the best compatibility and performance with pfSense. Realtek chips may work but often present driver challenges.

Download the pfSense installer from the official website, selecting either the AMD64 architecture for most modern systems or ARM for supported embedded devices. Write the image to a USB drive using tools like Rufus on Windows or dd on Linux.

Installation Process

Boot your hardware from the USB installer and select the default boot option. The installation wizard guides you through the process with straightforward prompts.

Step-by-Step Installation

When the installer loads, accept the copyright notice and choose “Install pfSense.” Select the target hard drive where pfSense will be installed. Choose the appropriate partitioning scheme—UFS works well for traditional hard drives, while ZFS offers advanced features for those comfortable with its complexity.

After installation completes, remove the USB drive and reboot. The system will boot into pfSense and display the console menu, showing assigned network interfaces and their IP addresses.

Initial Configuration via Web Interface

By default, pfSense assigns the LAN interface the IP address 192.168.1.1. Connect a computer to the LAN port and configure it to receive an IP address via DHCP or manually set an IP in the 192.168.1.x range.

Open a web browser and navigate to https://192.168.1.1. You’ll encounter a certificate warning since pfSense uses a self-signed certificate—this is normal for initial setup. Accept the warning and proceed.

Setup Wizard

Log in using the default credentials (username: admin, password: pfsense). The setup wizard launches automatically on first login. Configure the following:

  • Hostname and Domain: Set meaningful names for your firewall
  • Primary DNS Server: Enter your ISP’s DNS or public DNS servers (8.8.8.8, 1.1.1.1)
  • Time Zone: Select your correct time zone for accurate logging
  • WAN Interface Configuration: Choose DHCP if your ISP provides dynamic addresses, or configure static IP settings
  • LAN Interface Configuration: Modify the default 192.168.1.1/24 if it conflicts with your existing network
  • Admin Password: Change the default password immediately

Click “Reload” to apply changes. Your pfSense firewall is now accessible with basic functionality.

Configuring Network Interfaces

Navigate to Interfaces > Assignments to manage network interfaces. If you have additional NICs for DMZ networks, guest networks, or VLANs, assign them here.

Creating VLANs

For segmented networks, create VLANs by going to Interfaces > Assignments > VLANs. Click “Add” and specify the parent interface, VLAN tag (1-4094), and description. After creating VLANs, assign them as interfaces under Interfaces > Assignments.

Enable each new interface and configure IP addressing. For most internal networks, static IPv4 addresses work best. Define subnet masks appropriate for your network size—/24 (255.255.255.0) provides 254 usable addresses for typical small networks.

Setting Up Firewall Rules

Firewall rules control traffic flow through pfSense. By default, pfSense blocks all incoming WAN traffic and allows all outgoing LAN traffic—a secure starting point.

Understanding Rule Processing

pfSense processes rules from top to bottom, applying the first matching rule. Rules are evaluated per interface, so configure rules on the interface where traffic originates. To allow internet access from LAN, the default LAN rules suffice. To block specific traffic, add deny rules above allow rules.

Creating Custom Rules

Navigate to Firewall > Rules and select the interface. Click “Add” to create rules. Specify:

  • Action: Pass (allow), Block, or Reject
  • Protocol: TCP, UDP, ICMP, or any
  • Source: Network, address, or alias
  • Destination: Network, address, port, or alias
  • Description: Always document rule purposes

For example, to allow LAN users to access web services while blocking social media, create allow rules for ports 80 and 443, then add block rules for specific social media IP ranges using aliases.

When securing remote access to your network, consider using VPN solutions alongside your firewall rules. Services like NordVPN provide additional layers of encryption for remote workers connecting to your pfSense-protected network.

DHCP and DNS Configuration

pfSense includes a DHCP server for automatically assigning IP addresses to network clients. Navigate to Services > DHCP Server and select your LAN interface.

DHCP Configuration

Enable the DHCP server and define the IP address range. For a 192.168.1.0/24 network, you might allocate 192.168.1.100 through 192.168.1.200 for DHCP, reserving lower addresses for static assignments to servers and network equipment.

Configure lease time based on your environment—shorter leases (1-4 hours) suit networks with frequent device changes, while longer leases (24+ hours) reduce DHCP traffic on stable networks.

DNS Resolver Setup

The DNS Resolver (Unbound) handles DNS queries for your network. Under Services > DNS Resolver, verify it’s enabled. Enable “DNS Query Forwarding” if you want pfSense to forward queries to external DNS servers. Enable “DHCP Registration” to allow internal hostname resolution for DHCP clients.

For enhanced privacy, configure DNS over TLS by adding forwarding entries for secure DNS providers under System > General Setup.

Security Hardening Best Practices

After basic configuration, implement security hardening measures to protect your firewall.

Disable Unused Services

Review Services menu items and disable any services you don’t use. Unnecessary services expand your attack surface.

Enable Automatic Updates

Navigate to System > Update and configure automatic security update checks. While pfSense won’t auto-install updates, you’ll receive notifications about critical patches.

Configure Logging and Monitoring

Proper logging helps detect security incidents. Under Status > System Logs, configure log retention and review logs regularly. Enable remote logging to a syslog server for long-term storage and analysis.

For organizations requiring detailed monitoring of user activity across the network, complementing pfSense with endpoint monitoring solutions like SentryPC provides comprehensive visibility into both network traffic and individual device usage patterns.

Implement Intrusion Detection

Install Snort or Suricata packages from System > Package Manager for intrusion detection and prevention. These systems analyze traffic patterns and block malicious activity based on signature databases.

Advanced Features Configuration

OpenVPN Setup

For secure remote access, configure OpenVPN under VPN > OpenVPN. Use the wizard to create a server instance, generate certificates, and export client configurations. OpenVPN provides encrypted tunnels for remote workers accessing internal resources.

Traffic Shaping

Quality of Service (QoS) prioritizes critical traffic. The Traffic Shaper wizard under Firewall > Traffic Shaper helps prioritize VoIP, video conferencing, and other latency-sensitive applications.

High Availability

For business-critical environments, configure CARP (Common Address Redundancy Protocol) for failover between two pfSense firewalls. This ensures network continuity if one firewall fails.

Package Installation

Extend pfSense functionality through packages. Popular additions include:

  • pfBlockerNG: Advanced blocking of ads, malware, and geographic regions
  • HAProxy: Load balancing and reverse proxy
  • Squid: Web proxy and caching
  • ntopng: Network traffic analysis and monitoring

Install packages from System > Package Manager > Available Packages.

Conclusion

Configuring a pfSense firewall from scratch provides robust network security with enterprise features at no licensing cost. By following this guide, you’ve established a secure foundation for your network with proper interface configuration, firewall rules, and essential services. Regular maintenance, including firmware updates, rule reviews, and log monitoring, ensures your pfSense firewall continues protecting your network effectively.

As you become more comfortable with pfSense, explore advanced features like VPNs, multi-WAN configurations, and custom package installations to further enhance your network’s capabilities and security posture.

Follow Networkyy

Join 125,000+ IT professionals:

Leave a Reply

Your email address will not be published. Required fields are marked *