--- layout: guide title: "pfSense Guide" description: How to convert an old desktop PC into a router/firewall combo carousels: installing: title: Navigating the Install Wizard steps: - text: Wait for the installer to boot image: /assets/images/guides/pfsense/setup-boot.png - text: Accept the copyright agreement image: /assets/images/guides/pfsense/setup-copyright.png - text: Select `Install` on the welcome screen image: /assets/images/guides/pfsense/setup-welcome.png - text: For partitioning, select `Auto (ZFS)` image: /assets/images/guides/pfsense/setup-partitioning.png - text: Wait for the installer to probe for devices image: /assets/images/guides/pfsense/setup-probe.png - text: On the ZFS Configuration menu, select `Pool Type/Disks` and press enter image: /assets/images/guides/pfsense/setup-zfs-menu-pool.png - text: When asked for device type, choose `Striped`. Then press enter image: /assets/images/guides/pfsense/setup-zfs-type.png - text: Select your hard drive and press space to add it to the pool, then press enter image: /assets/images/guides/pfsense/setup-zfs-drives.png - text: You should now be back on the main ZFS configuration window. Select `Install` and press enter image: /assets/images/guides/pfsense/setup-zfs-menu-install.png - text: Confirm you would like to wipe the drive image: /assets/images/guides/pfsense/setup-confirm.png - text: Wait for it to install the Operating System image: /assets/images/guides/pfsense/setup-installing.png - text: When the installation completes, select `Restart` image: /assets/images/guides/pfsense/setup-complete.png - text: After the screen goes black, remove your USB drive image: /assets/images/guides/pfsense/black.png --- **NOTE: This article is still under development. Some sections are incomplete or need clarification** # Goals / Who this is for This guide is targeted at people who already understand the basics of computer networking (IP Addresses, DHCP, etc.), and want to dive further down the discovery rabbithole, while also building a functioning firewall that can be configured to help network security. **Note:** pfSense requires a bit of time messing around in the web UI until you get the hang of it, so get ready to spend some time to get acquainted to the interface. # Hardware Pretty much any old desktop computer from the last ~15 years should be more than enough as long as it has: - An x86-64 CPU (As long it's a consumer PC or server made in the last 15 years it should be fine) - Two RJ45 Ethernet ports - Most computers only have one, but one can be added through USB or PCIe - I would recommend the [TP-Link TG-3468](https://www.tp-link.com/us/home-networking/pci-adapter/tg-3468/) as a budget-friendly PCIe expansion card. - At least 2GB of System Memory (RAM) - pfSense requires 1GB, but more is needed when there are many connected devices. - A USB drive to hold the installer (Must have > 1GB capacity) pfSense is based on the FreeBSD operating system. A full list of supported hardware can be found [on the FreeBSD website](https://www.freebsd.org/releases/13.0R/hardware/). # Example network topology In this guide, we will assume that this firewall is between your ISP-provided modem and your wireless router. If your ISP only provided a modem/router combo box, contact support to ask about using your own router. TODO

# pfSense CE vs pfSense Plus The pfSense branding applies to two different operating systems, pfSense CE (Community Edition) and pfSense Plus. pfSense CE is Free and Open Source, meaning that the source code is freely available to view, modify, and redistribute. pfSense Plus is a closed-source version maintained by Netgate. For more information on the differences between pfSense CE and pfSense Plus, view the [official FAQ](https://www.netgate.com/support/frequently-asked-questions-pfsense-plus) **Note:** pfSense Plus used to be free for non-commercial use, but Netgate has removed that subscription tier. The cheapest subscription plan is $129 per year. # Installing the OS Note: This guide assumes that your firewall has a video output. If you are using serial, please follow the [official documentation](https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html) ## Downloading the OS The pfSense CE download image can be obtained from [the pfSense website](https://www.pfsense.org/download/). Architecture should be set to **AMD64**, and installer can be set to USB Memstick or DVD Image. Both can be flashed onto a USB stick. [Here is a full comparison](https://en.wikipedia.org/wiki/IMG_(file_format)#Comparison_to_ISO_images) If you have chosen to use pfSense plus, you can update from pfSense CE to pfSense Plus after installation. ## Flashing the Image onto a USB Stick Once the file has downloaded, open the usb-flasher of your choice (I recommend [Balena Etcher](https://etcher.balena.io/)), and flash the file. **Note: This will wipe the contents of the USB stick, so make sure there's nothing important on it.** # Booting into the installer 1. Insert the USB device into a USB port on the back of the motherboard (Front of the case should be fine but don't use a USB hub) 2. Shut down the device 3. Start the device 4. Open the boot selection screen - This is different for every computer, but normally holding down `DELETE` works. - You can also try `F2` or `F12` - If those don't work, consult your motherboard or computer's manual. 5. Select to boot from the USB drive 6. You should now see a pfSense boot screen. Press `Enter` or wait a few seconds for the installer to start booting TODO

# Installing {% include guide-carousel.html id="installing" %} # Configuring pfSense ## Getting the router's IP address After the system boot process completes, you should see a screen that looks like this.

The router displays its WAN address (public IP address), and LAN address (local IP address) in my case, the local IP address is `192.168.1.1` ## Accessing the Web Dashboard Going to `http://ROUTER_LOCAL_IP_ADDRESS` in your browser should bring you to a login screen TODO

The default username is `admin`, and the default password is `pfsense` You should now be prompted with a setup wizard. Skip step 1 since it's just an ad for paid support TODO

On step 2: - Set the hostname of the firewall (or leave it as pfSense) - Give it a subdomain if you have one (TODO) - Set DNS servers (1.1.1.1 and 1.0.0.1 are maintained by Cloudflare) TODO

On step 3: - Set the timezone - Change the network timeserver if you are into that TODO

On step 4, this is where the magic happens. If this firewall is between your ISP provided modem, there is a good chance using DHCP will work completely fine, but it depends on your specific ISP. TODO

On step 5, you can set your local IP Address range. The default is `192.168.1.1/16` but if you need more addresses, you can use `10.0.0.0/8` TODO

On step 6, set the password for the webGUI. Make sure to use a secure password TODO

On step 7, and 8: reload the system The firewall will now restart, if you changed the IP address, you need to change the address in your browser ## Configuration Note: This list is not comprehensive. - Enable dark mode - System > General Setup > webConfigurator section > Theme - Set to pfSense-Dark - Remove "Netgate Services and Support tab from dashboard" - Press the X in the top-right corner of the window - Add the traffic graph to the dashboard - Press the plus in the top right corner of the dashboard and select "Traffic Graph" - Upgrade to PFSense Plus if you are willing to pay at least $129/year - Purchase a license from the [PFSense Plus store page](https://shop.netgate.com/products/pfsense-software-subscription) - Insert the code provided in System > Register # Setting up IPv6 ## What is IPv6 IPv6 is a newer implementation of the Internet Protocol than the classic IPv4 and was mainly created to add more IP addresses. IPv4 supports a maximum of 2^32 (`4,294,967,296`) addresses, while IPv6 has a maximum of 2^128 (340,282,366,920,938,463,463,374,607,431,768,211,456) addresses. ## Do I need one? IPv4 addresses are now a commodity, and thus some people (including me) have moved to hosting exclusively* using IPv6. *My website is still accessible over the IPv4 internet through a network translation service, but I will probably pull the plug when IPv6 becomes more widely adopted. Your ISP might have already rolled out IPv6 to your area. You can check your IPv6 status using [this website](https://test-ipv6.com/). ## Obtaining an IPv6 address block with TunnelBroker Netgate provides an [official tutorial](https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html) on how to get a block of IPv6 addresses with TunnelBroker and how to configure pfSense to use them. # Installing and configuring Snort Snort is a rule-based firewall software that blocks incoming and outgoing network packets based on user-configured rules. Another issue caused by the IPv4 address space being completely full is that people run bots that ping random addresses for both research and malicious reasons. ## Installing the Snort package 1. Open the Package Manager's Available Package view (System > Package Manager > Available Packages) TODO

2. Install the Snort Package TODO

3. Wait for the installation to complete TODO

## Configuring Snort 1. First, go to the snort configuration menu (Services > Snort), and click on the `Interfaces` tab if it does not send you to that page. TODO

2. Add the WAN interface to be filtered by pressing the `Add` button in the bottom right TODO

3. Select the WAN interface 4. By default, snort will only save alerts of offences. For extra security, you can enable the `Block Offenders` option, but ensure that it will only block the source address, and be aware that on rare occasion you might accidentally block yourself. 5. Press save at the bottom of the page to save interface settings 6. Going back to the `Snort Interfaces` tab should show the WAN interface TODO

7. Enable scanning by pressing the Play button and waiting for it to start TODO

### Adding rules Snort blocks connections based on rulesets that can be obtained from multiple sources: - Snort VRT (Requires account, has free and paid tiers) - Snort GPL (Free without account) - ET Open (Free without account) - ET Pro (Targeted at large companies; does not publicly list prices) To Add rules: 1. Go to `Global Settings` TODO

2. Enable the rule sources you desire 3. Set the update interval to 1 Day TODO

4. Press `Save` ### Downloading Rules Go to Updates and press the `Update Rules` button. This will fetch all rules you enabled in the previous step ### Configuring rules 1. Go to the `Snort Interfaces` tab 2. Click on the pencil icon associated with the WAN interface 3. Go to the `WAN Categories` tab 4. Choose the rule sets you would like to use You can either cherry-pick which rules you would like to apply, or you can press `Select All` at the top, and manually whitelist proper traffic that gets blocked. ### Viewing alerts in real time In the `Alerts` tab, you can view IP addresses that have been blocked by the selected rules TODO

This image is from an actual pfSense deployment, so many fields have been blurred # Conclusion Congratulations! You now have an open-source* firewall protecting your network! Here are some links to other guides on setting up specific packages/programs on pfSense: - [Creating a Virtual Private Network with Tailscale](https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/) - [Forwarding ports through your firewall](https://www.wundertech.net/pfsense-port-forwarding-setup-guide/) - [Configuring VLANS, DHCP, and other stuff](https://itigic.com/how-to-configure-pfsense-internet-vlans-dhcp-dns-and-nat/) *If you have chosen to stick with pfSense CE over pfSense+