owenryan.us/source/_guides/pfsense.md

---
layout: guide
title: "pfSense Guide"
description: How to convert an old desktop PC into a router/firewall combo
carousels:
  installing:
    title: Navigating the Install Wizard
    steps:
      - text: Wait for the installer to boot
        image: /assets/images/guides/pfsense/setup-boot.png
      - text: Accept the copyright agreement
        image: /assets/images/guides/pfsense/setup-copyright.png
      - text: Select `Install` on the welcome screen
        image: /assets/images/guides/pfsense/setup-welcome.png
      - text: For partitioning, select `Auto (ZFS)`
        image: /assets/images/guides/pfsense/setup-partitioning.png
      - text: Wait for the installer to probe for devices
        image: /assets/images/guides/pfsense/setup-probe.png
      - text: On the ZFS Configuration menu, select `Pool Type/Disks` and press enter
        image: /assets/images/guides/pfsense/setup-zfs-menu-pool.png
      - text: When asked for device type, choose `Striped`. Then press enter
        image: /assets/images/guides/pfsense/setup-zfs-type.png
      - text: Select your hard drive and press space to add it to the pool, then press enter
        image: /assets/images/guides/pfsense/setup-zfs-drives.png
      - text: You should now be back on the main ZFS configuration window. Select `Install` and press enter
        image: /assets/images/guides/pfsense/setup-zfs-menu-install.png
      - text: Confirm you would like to wipe the drive
        image: /assets/images/guides/pfsense/setup-confirm.png
      - text: Wait for it to install the Operating System
        image: /assets/images/guides/pfsense/setup-installing.png
      - text: When the installation completes, select `Restart`
        image: /assets/images/guides/pfsense/setup-complete.png
      - text: After the screen goes black, remove your USB drive
        image: /assets/images/guides/pfsense/black.png
---

**NOTE: This article is still under development. Some sections are incomplete or need clarification**

# Goals / Who this is for

This guide is targeted at people who already understand the basics of computer networking (IP Addresses, DHCP, etc.),
and want to dive further down the discovery rabbithole, while also building a functioning firewall that can be
configured to help network security.

**Note:** pfSense requires a bit of time messing around in the web UI until you get the hang of it, so get ready to
spend
some time to get acquainted to the interface.

# Hardware

Pretty much any old desktop computer from the last ~15 years should be more than enough as long as it has:

- An x86-64 CPU (As long it's a consumer PC or server made in the last 15 years it should be fine)
- Two RJ45 Ethernet ports
    - Most computers only have one, but one can be added through USB or PCIe
        - I would recommend the [TP-Link TG-3468](https://www.tp-link.com/us/home-networking/pci-adapter/tg-3468/) as a
          budget-friendly PCIe expansion card.
- At least 2GB of System Memory (RAM)
    - pfSense requires 1GB, but more is needed when there are many connected devices.
- A USB drive to hold the installer (Must have > 1GB capacity)

pfSense is based on the FreeBSD operating system. A full list of supported hardware can be found
[on the FreeBSD website](https://www.freebsd.org/releases/13.0R/hardware/).

# Example network topology

In this guide, we will assume that this firewall is between your ISP-provided modem and your wireless router. If your
ISP only provided a modem/router combo box, contact support to ask about using your own router.

<img src="/assets/images/guides/pfsense/topology.png" alt="TODO">

# pfSense CE vs pfSense Plus

The pfSense branding applies to two different operating systems, pfSense CE (Community Edition) and pfSense Plus.
pfSense CE is Free and Open Source, meaning that the source code is freely available to view, modify, and redistribute.
pfSense Plus is a closed-source version maintained by Netgate.

For more information on the differences between pfSense CE and pfSense Plus, view the
[official FAQ](https://www.netgate.com/support/frequently-asked-questions-pfsense-plus)

**Note:** pfSense Plus used to be free for non-commercial use, but Netgate has removed that subscription tier. The
cheapest subscription plan is $129 per year.

# Installing the OS

Note: This guide assumes that your firewall has a video output. If you are using serial, please follow the
[official documentation](https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html)

## Downloading the OS

The pfSense CE download image can be obtained from [the pfSense website](https://www.pfsense.org/download/).

Architecture should be set to **AMD64**, and installer can be set to USB Memstick or DVD Image. Both can be flashed onto
a USB stick. [Here is a full comparison](https://en.wikipedia.org/wiki/IMG_(file_format)#Comparison_to_ISO_images)

If you have chosen to use pfSense plus, you can update from pfSense CE to pfSense Plus after installation.

## Flashing the Image onto a USB Stick

Once the file has downloaded, open the usb-flasher of your choice (I recommend
[Balena Etcher](https://etcher.balena.io/)), and flash the file.

**Note: This will wipe the contents of the USB stick, so make sure there's nothing important on it.**

# Booting into the installer

1. Insert the USB device into a USB port on the back of the motherboard (Front of the case should be fine but don't use
   a USB hub)
2. Shut down the device
3. Start the device
4. Open the boot selection screen
    - This is different for every computer, but normally holding down `DELETE` works.
    - You can also try `F2` or `F12`
    - If those don't work, consult your motherboard or computer's manual.
5. Select to boot from the USB drive
6. You should now see a pfSense boot screen. Press `Enter` or wait a few seconds for the installer to start booting

<img src="/assets/images/guides/pfsense/setup-bootloader.png" alt="TODO">

# Installing

{% include guide-carousel.html id="installing" %}

# Configuring pfSense

## Getting the router's IP address

After the system boot process completes, you should see a screen that looks like this.

<img src="/assets/images/guides/pfsense/cli-menu.png" alt="TODO">

The router displays its WAN address (public IP address), and LAN address (local IP address)

in my case, the local IP address is `192.168.1.1`

## Accessing the Web Dashboard

Going to `http://ROUTER_LOCAL_IP_ADDRESS` in your browser should bring you to a login screen

<img src="/assets/images/guides/pfsense/pfsense-login.png" alt="TODO">

The default username is `admin`, and the default password is `pfsense`

You should now be prompted with a setup wizard.

Skip step 1 since it's just an ad for paid support

<img src="/assets/images/guides/pfsense/wizard-welcome.png" alt="TODO">

On step 2:

- Set the hostname of the firewall (or leave it as pfSense)
- Give it a subdomain if you have one (TODO)
- Set DNS servers (1.1.1.1 and 1.0.0.1 are maintained by Cloudflare)

<img src="/assets/images/guides/pfsense/wizard-general.png" alt="TODO">

On step 3:

- Set the timezone
- Change the network timeserver if you are into that

<img src="/assets/images/guides/pfsense/wizard-timezone.png" alt="TODO">

On step 4, this is where the magic happens.
If this firewall is between your ISP provided modem, there is a good chance using DHCP will work completely fine, but it
depends on your specific ISP.

<img src="/assets/images/guides/pfsense/wizard-wan.png" alt="TODO">

On step 5, you can set your local IP Address range. The default is `192.168.1.1/16` but if you need more addresses, you
can use `10.0.0.0/8`

<img src="/assets/images/guides/pfsense/wizard-lan.png" alt="TODO">

On step 6, set the password for the webGUI. Make sure to use a secure password

<img src="/assets/images/guides/pfsense/wizard-password.png" alt="TODO">

On step 7, and 8: reload the system

The firewall will now restart, if you changed the IP address, you need to change the address in your browser

## Configuration

Note: This list is not comprehensive.

- Enable dark mode
    - System > General Setup > webConfigurator section > Theme
    - Set to pfSense-Dark
- Remove "Netgate Services and Support tab from dashboard"
    - Press the X in the top-right corner of the window
- Add the traffic graph to the dashboard
    - Press the plus in the top right corner of the dashboard and select "Traffic Graph"
- Upgrade to PFSense Plus if you are willing to pay at least $129/year
    - Purchase a license from
      the [PFSense Plus store page](https://shop.netgate.com/products/pfsense-software-subscription)
    - Insert the code provided in System > Register

# Setting up IPv6

## What is IPv6

IPv6 is a newer implementation of the Internet Protocol than the classic IPv4 and was mainly created to add more IP
addresses. IPv4 supports a maximum of 2^32 (`4,294,967,296`) addresses, while IPv6 has a maximum of 2^128
(340,282,366,920,938,463,463,374,607,431,768,211,456) addresses.

## Do I need one?

IPv4 addresses are now a commodity, and thus some people (including me) have moved to hosting exclusively* using IPv6.

*My website is still accessible over the IPv4 internet through a network translation service, but I will probably pull
the plug when IPv6 becomes more widely adopted.

Your ISP might have already rolled out IPv6 to your area. You can check your IPv6 status using
[this website](https://test-ipv6.com/).

## Obtaining an IPv6 address block with TunnelBroker

Netgate provides an [official tutorial](https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html) on
how to get a block of IPv6 addresses with TunnelBroker and how to configure pfSense to use them.

# Installing and configuring Snort

Snort is a rule-based firewall software that blocks incoming and outgoing network packets based on user-configured
rules.

Another issue caused by the IPv4 address space being completely full is that people run bots that ping random addresses
for both research and malicious reasons.

## Installing the Snort package

1. Open the Package Manager's Available Package view (System > Package Manager > Available Packages)
   <img src="/assets/images/guides/pfsense/pfsense-packages.png" alt="TODO">
2. Install the Snort Package
   <img src="/assets/images/guides/pfsense/pfsense-package-confirm.png" alt="TODO">
3. Wait for the installation to complete
   <img src="/assets/images/guides/pfsense/pfsense-package-install.png" alt="TODO">

## Configuring Snort

1. First, go to the snort configuration menu (Services > Snort), and click on the `Interfaces` tab if it does not send
   you to that page.
   <img src="/assets/images/guides/pfsense/snort-interfaces-empty.png" alt="TODO">
2. Add the WAN interface to be filtered by pressing the `Add` button in the bottom right
   <img src="/assets/images/guides/pfsense/snort-interfaces-empty.png" alt="TODO">
3. Select the WAN interface
4. By default, snort will only save alerts of offences. For extra security, you can enable the `Block Offenders` option,
   but ensure that it will only block the source address, and be aware that on rare occasion you might accidentally
   block yourself.
5. Press save at the bottom of the page to save interface settings
6. Going back to the `Snort Interfaces` tab should show the WAN interface
   <img src="/assets/images/guides/pfsense/snort-interfaces-off.png" alt="TODO">
7. Enable scanning by pressing the Play button and waiting for it to start
   <img src="/assets/images/guides/pfsense/snort-interfaces-on.png" alt="TODO">

### Adding rules

Snort blocks connections based on rulesets that can be obtained from multiple sources:

- Snort VRT (Requires account, has free and paid tiers)
- Snort GPL (Free without account)
- ET Open (Free without account)
- ET Pro (Targeted at large companies; does not publicly list prices)

To Add rules:

1. Go to `Global Settings`
   <img src="/assets/images/guides/pfsense/snort-globalconfig1.png" alt="TODO">
2. Enable the rule sources you desire
3. Set the update interval to 1 Day
   <img src="/assets/images/guides/pfsense/snort-globalconfig2.png" alt="TODO">
4. Press `Save`

### Downloading Rules

Go to Updates and press the `Update Rules` button. This will fetch all rules you enabled in the previous step

### Configuring rules

1. Go to the `Snort Interfaces` tab
2. Click on the pencil icon associated with the WAN interface
3. Go to the `WAN Categories` tab
4. Choose the rule sets you would like to use

You can either cherry-pick which rules you would like to apply, or you can press `Select All` at the top, and manually
whitelist proper traffic that gets blocked.

### Viewing alerts in real time

In the `Alerts` tab, you can view IP addresses that have been blocked by the selected rules

<img src="/assets/images/guides/pfsense/snort-alerts.png" alt="TODO">

This image is from an actual pfSense deployment, so many fields have been blurred

# Conclusion

Congratulations! You now have an open-source* firewall protecting your network! Here are some links to other guides on
setting up specific packages/programs on pfSense:

- [Creating a Virtual Private Network with Tailscale](https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/)
- [Forwarding ports through your firewall](https://www.wundertech.net/pfsense-port-forwarding-setup-guide/)
- [Configuring VLANS, DHCP, and other stuff](https://itigic.com/how-to-configure-pfsense-internet-vlans-dhcp-dns-and-nat/)

*If you have chosen to stick with pfSense CE over pfSense+