pfSense is one of the most widely used open source firewall solutions. We have been using it in our school for several years now and are very satisfied with it because it simply offers many features for which you have to invest a lot of money elsewhere. Today I want to show you how to install pfSense and how to set it up. Before that, I’d like to talk about various hardware that is suitable for running pfSense.
In general, you can say that you can theoretically use any computer with at least two network cards to run pfSense. This could be, for example, an old computer which you no longer need and which you equip with a second network card. But often an old computer is not very energy efficient and other alternatives are more appropriate. In addition to power consumption, the intended use case plays a decisive role. It makes a difference whether I use the firewall at home with a few users or in a school or a company with considerably more accesses.
For home use the APU2C4 board from PC Engine is popular (mainly in Europe), but also passively cooled mini computers like this or that one. For a school or company, a board with at least 4 network cards is recommended, depending on the requirements. We use a SG-4860 from Netgate. If you search for pfSense at Amazon or AliExpress, you will find many offers. The only important thing is that the CPU supports AES-NI, because this feature of pfSense will be absolutely necessary in future versions.
On the website of the pfSense project there are some general hints about the hardware requirements:
The available bandwidth should also be taken into account when selecting hardware, otherwise pfSense could become a bottleneck.
Before starting the installation, you need to know which pfSense image you need. This depends, for example, on whether the hardware used has a VGA/HDMI output or only a serial console. Or whether you want to install via CD, USB flash drive or directly on the hard disk. Therefore I would like to give some hints here:
Architecture:
Type of image
Console
If you know which image you need, you can download it from the pfSense website.
The pfSense documentation contains a lot of information about preparing a USB flash drive. In our example we assume a USB Memstick VGA Installer. First you should format or empty the USB stick. This is very easy under Linux with
$ sudo dd if=/dev/zero of=/dev/sdz bs=1M count=1
Note: It is essential to pay attention to which device is specified after of=/dev/. Otherwise it can happen that you empty your main partition and data is irretrievably lost! To find out the device name, it is best to plug in the USB stick and then run
_dmesg_
in a terminal. Then you can see which device name the USB stick got (often it is /dev/sdb_)._
Instructions for clearing a USB flash drive under Windows or macOS can be found in the documentation linked above.
Now you can write the downloaded image to the USB flash drive.
$ gzip -dc pfSense-memstick-2.4.4-RELEASE-amd64.img.gz | sudo dd of=/dev/sdz bs=1M $ sync
The USB flash drive is now ready. Next boot from this USB thumb drive and start the installation. Depending on the BIOS, the stick will be recognized as a USB device or another hard disk. The boot sequence has to be changed often to avoid booting from the 1st hard disk. The documentation also provides some ideas if booting does not work.
After successful booting, the pfSense welcome screen appears.
Here you choose “Install“. In the next dialog you can define the keyboard layout. For partitioning it is best to use “Auto (UFS)” and confirm again with Enter.
Then the automatic installation starts. When the installation is finished, you will be asked if you want to open a shell (you can deny that). Finally you have to restart the system (“Reboot“). At the following boot you should make sure that you do not boot from the USB flash drive again, but from the hard disk!
During the restart pfSense automatically tries to configure the WAN interface. The WAN interface is the network card that is connected to the Internet service provider’s router or to the Internet in general. If the automatic configuration is successful, the pfSense console menu will appear, otherwise you will be greeted with a dialog.
To change the WAN and LAN interfaces, select №1 “Assign Interfaces”. Now you have to answer some questions:
If a DHCP server is running on the WAN interface, it should automatically have an IP address. If not, you have to configure an IP address for both the WAN and the LAN interface. As an example I will show it here for the LAN interface. Select №2 “Set interface(s) IP address“.
With a computer that is also connected to the LAN network, you can access the pfSense web interface at https://10.10.10.1 to make a few basic settings. The first time, a certificate warning appears. Since this is a self-signed certificate for the HTTPS connection, you have to accept it. The default credentials are admin with the password pfsense.
After login you will be greeted by an assistant. In the second step you can assign a host name to the firewall and enter the domain. Also important is the primary and secondary DNS server and whether the DNS server can be overwritten via DHCP at the WAN interface (e.g. to use the DNS of the Internet service provider).
In the next steps you set the time zone, check the configuration of the WAN and LAN interface again and should assign a new admin password in step 6. This completes the setup.
Installing pfSense is usually easy. Sometimes it is difficult to choose the right image for the installation or booting from a USB stick or to set up the serial connection. The pfSense documentation deals with many of these problems and offers suggestions for solutions. After the initial configuration, the firewall is ready for use. However, the firewall can still be greatly extended and adapted. This should be the topic of future articles.
Originally published at openschoolsolutions.org.