Mastering pfSense: Manage, secure, and monitor your on-premise and cloud network with pfSense 2.4

Mastering pfSense

Second Edition

Manage, secure, and monitor your on-premise and cloud network with pfSense 2.4

David Zientara

BIRMINGHAM - MUMBAI

Mastering pfSense Second Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin Boricha

Acquisition Editor: Shrilekha Inani

Content Development Editor: Priyanka Deshpande

Technical Editor: Mohit Hassija

Copy Editor: Safis Editing

Project Coordinator: Virginia Dias

Proofreader: Safis Editing

Indexer: Mariammal Chettiyar

Graphics: Tom Scaria

Production Coordinator: Shantanu Zagade

First published: August 2016

Second edition: May 2018

Production reference: 1040518

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-78899-317-3

www.packtpub.com

To my mother, Isabel Zientara, and to the memory of my father, Francis, for their constant encouragement and support, and for always keeping me focused on what is important. To my siblings, who have always been there when needed.

mapt.io

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

David Zientara is a software engineer and IT professional living in northern New Jersey. He has 20 years of experience in IT, and he has been the lead software engineer for Oxberry since the mid-1990s. His interest in pfSense prompted him to create a pfSense website in June 2013, and eventually to author this book.

I wish to thank my editors for helping ensure that the final product is the best that it can be. I also wish to thank my parents for their constant support in my endeavors.

About the reviewer

Shiva V.N. Parasram is a professional cyber security trainer and the owner of the Computer Forensics and Security Institute (CFSI). He is also a Certified EC-Council Instructor (CEI), and his qualifications include an M.Sc. in network security (Distinction), CEH, CHFI, ECSA, CCNA, NSE, and more. He has successfully executed and delivered forensic investigations, penetration tests, and security training for large enterprises, and he is also the author of Digital Forensics with Kali Linux, Packt Publishing.

If you have to be anything, be brave. – Indra J. Parasram.

Always be patient, son. – Harry G. Parasram.

To my parents and best friends. The love that stayed, the love I know. Thank you.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Mastering pfSense Second Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Revisiting pfSense Basics

Technical requirements

pfSense project overview

Possible deployment scenarios

Hardware requirements and sizing guidelines

Minimum hardware requirements

Hardware sizing guidelines

The best practices for installation and configuration

pfSense configuration

Configuration from the console

Configuration from the web GUI

Configuring additional interfaces

Additional WAN configuration

General setup options

Summary

Questions

Further reading

Advanced pfSense Configuration

Technical requirements

SSH login

DHCP

DHCP configuration at the console

DHCP configuration in the web GUI

DHCPv6 configuration in the web GUI

DHCP and DHCPv6 relay

DHCP and DHCPv6 leases

DNS

DNS resolver

General Settings

Enable DNSSEC support

Host Overrides and Domain Overrides

Access Lists

DNS forwarder

DNS firewall rules

DDNS

DDNS updating

RFC 2136 updating

Troubleshooting DDNS

Captive portal

Implementing captive portal

User manager authentication

Voucher authentication

RADIUS authentication

Other settings

Troubleshooting captive portal

NTP

SNMP

Summary

Questions

VLANs

Technical requirements

Basic VLAN concepts

Example 1 – developers and engineering

Example 2 – IoT network

Hardware, configuration, and security considerations

VLAN configuration at the console

VLAN configuration in the web GUI

QinQ

Link aggregation

Add firewall rules for VLANs

Configuration at the switch

VLAN configuration example 1 – TL-SG108E

VLAN configuration example 2 – Cisco switches

Static VLAN creation

Dynamic Trunking Protocol

VLAN Trunking Protocol

Troubleshooting VLANs

General troubleshooting tips

Verifying switch configuration

Verifying pfSense configuration

Summary

Questions

Using pfSense as a Firewall

Technical requirements

An example network

Firewall fundamentals

Firewall best practices

Best practices for ingress filtering

Best practices for egress filtering

Creating and editing firewall rules

Floating rules

Example rules

Example 1 – block a website

Example 2 – block all traffic from other networks

Example 3 – the default allow rule

Scheduling

An example schedule entry

Aliases

Creating aliases from a DNS lookup

Bulk import

Virtual IPs

Troubleshooting firewall rules

Summary

Questions

Network Address Translation

Technical requirements

NAT essentials

Outbound NAT

Example – filtering outbound NAT for a single network

1:1 NAT

Example – mapping a file server

Port forwarding

Example 1 – setting up DCC

Example 2 – excluding a port

Example 3 – setting up a personal web server

Network Prefix Translation

Example – mapping an IPv6 network

Troubleshooting

Summary

Questions

Traffic Shaping

Technical requirements

Traffic shaping essentials

Queuing policies

Priority queuing

Class-based queuing

Hierarchical Fair Service Curve

Configuring traffic shaping in pfSense

The Multiple LAN/WAN Configuration wizard

The Dedicated Links wizard

Advanced traffic shaping configuration

Changes to queues

Limiters

Layer 7 traffic shaping

Adding and changing traffic shaping rules

Example 1 – modifying the penalty box

Example 2 – prioritizing EchoLink

Traffic shaping examples

Example 1 – adding limiters

Example 2 – penalizing peer-to-peer traffic

Using Snort for traffic shaping

Installing and configuring Snort

Troubleshooting traffic shaping

Summary

Questions

Further reading

Virtual Private Networks

Technical requirements

VPN fundamentals

IPsec

L2TP

OpenVPN

AES-NI

Choosing a VPN protocol

Configuring a VPN tunnel

IPsec

IPsec peer/server configuration

IPsec mobile client configuration

Example 1 – Site-to-site IPsec configuration

Example 2 – IPsec tunnel for remote access

L2TP

OpenVPN

OpenVPN server configuration

OpenVPN client configuration

Client-specific overrides

Server configuration with the wizard

OpenVPN Client Export Utility

Example – site-to-site OpenVPN configuration

Troubleshooting

Summary

Questions

Redundancy and High Availability

Technical requirements

Basic concepts

Server load balancing

Example – load balancer for a web server

HAProxy – a brief overview

CARP configuration

Example 1 – CARP with two firewalls

Example 2 – CARP with N firewalls

An example of both load balancing and CARP

Troubleshooting

Summary

Questions

Further reading

Multiple WANs

Technical requirements

Basic concepts

Service Level Agreement

Multi-WAN configuration

DNS considerations

NAT considerations

Third-party packages

Example – multi-WAN and CARP

Troubleshooting

Summary

Questions

Routing and Bridging

Technical requirements

Basic concepts

Bridging

Routing

Routing

Static routes

Public IP addresses behind a firewall

Dynamic routing

RIP

OpenBGPD

Quagga OSPF

FRRouting

Policy-based routing

Bridging

Bridging interfaces

Special issues

Bridging example

Troubleshooting

Summary

Questions

Extending pfSense with Packages

Technical requirements

Basic considerations

Installing packages

Important packages

Squid

Issues with Squid

Squid reverse proxy server

pfBlockerNG

ntopng

Nmap

HAProxy

Example – load balancing a web server

Other packages

Snort

Example – using Snort to block social media sites

FRRouting

Zabbix

Summary

Questions

Further reading

Diagnostics and Troubleshooting

Technical requirements

Troubleshooting basics

Common networking problems

Wrong subnet mask or gateway

Wrong DNS configuration

Duplicate IP addresses

Network loops

Routing issues

Port configuration

Black holes

Physical issues

Wireless issues

RADIUS issues

pfSense troubleshooting tools

System logs

Dashboard

Interfaces

Services

Monitoring

Traffic graphs

Firewall states

States

States summary

pfTop

tcpdump

tcpflow

ping, traceroute and netstat

ping

traceroute

netstat

Troubleshooting scenarios

VLAN configuration problem

Summary

Questions

Assessments

Chapter 1 – Revisiting pfSense Basics

Chapter 2 – Advanced pfSense Configuration

Chapter 3 – VLANs

Chapter 4 – Using pfSense as a Firewall

Chapter 5 – Network Address Translation

Chapter 6 – Traffic Shaping

Chapter 7 – Virtual Private Networks

Chapter 8 – Redundancy and High Availability

Chapter 9 – Multiple WANs

Chapter 10 – Routing and Bridging

Chapter 11 – Extending pfSense with Packages

Chapter 12 – Diagnostics and Troubleshooting

Another Book You May Enjoy

Leave a review - let other readers know what you think

Preface

pfSense is open source firewall/router software based on the FreeBSD packet filtering program PF that can be used as a perimeter firewall, router, wireless access point, DHCP server, DNS server, or VPN endpoint. Mastering pfSense, Second Edition, is a comprehensive guide to installing, configuring, and customizing pfSense.

Who this book is for

The target audience for this book should have at least an intermediate level of knowledge of computer networking. Some knowledge of pfSense is a plus, although it is not required.

The book should appeal to a wide range of technophiles; anyone interested in pfSense who has an aptitude for understanding networking and the resources to follow along with the examples will benefit from this book.

What this book covers

Chapter 1, Revisiting pfSense Basics, covers deployment scenarios for pfSense, hardware requirements, sizing and installation options, and it guides the user through the initial installation and configuration.

Chapter 2, Advanced pfSense Configuration, covers some of the commonly used pfSense services, such as DHCP, DNS, Dynamic DNS (DDNS), captive portal, Network Time Protocol (NTP), and Simple Network Management Protocol (SNMP).

Chapter 3, VLANs, covers how to set up a virtual LAN in pfSense, both from the command line and the web GUI, and provides examples showing how to configure some commercially available managed switches.

Chapter 4, Using pfSense as a Firewall, covers how to implement rules to block, pass, or divert network traffic, as well as virtual IPs, aliases, and scheduling.

Chapter 5, Network Address Translation, covers Network Address Translation (NAT) in depth, including outbound NAT, port forwarding, 1:1 NAT, and Network Prefix Translation (NPt).

Chapter 6, Traffic Shaping, covers how to use the pfSense's traffic shaping capabilities, using the traffic shaping wizard, by manually adjusting queues, and by creating custom floating rules.

Chapter 7, Virtual Private Networks (VPNs), covers the advantages and disadvantages of VPNs and explains how to use pfSense to set up an IPsec, L2TP, or OpenVPN tunnel. Client-server and peer-to-peer options are covered.

Chapter 8, Redundancy and High Availability, covers load balancing, failover, and implementing redundancy via Common Address Redundancy Protocol (CARP), which allows the user to add one or more backup firewalls.

Chapter 9, Multiple WANs, covers ways to implement redundancy and high availability into internet connections by having multiple internet connections for failover, load balancing, and bandwidth aggregation. This chapter shows how to set up gateways and gateway groups.

Chapter 10, Routing and Bridging, covers bridging and static/dynamic routing, including when bridging network adapters is appropriate, as well when it is necessary to configure static routes and how to do it, and discusses the dynamic routing protocols available for pfSense.

Chapter 11, Extending pfSense with Packages, covers the most significant packages available for pfSense, such as Snort, Squid, HAProxy, and many others.

Chapter 12, Diagnostics and Troubleshooting, covers what to do when things go wrong. A problem-solving methodology is outlined, and common problems and available troubleshooting tools are discussed. A real-world example of troubleshooting is provided.

Appendix A, Assessments, answers to the questions mentioned in the chapters.

To get the most out of this book

I am assuming a basic understanding of networking. Enough knowledge to pass CompTIA's Networking+ exam should be more than enough knowledge. A basic knowledge of computers and how to use a CLI is also necessary. Since pfSense runs on FreeBSD, some experience with BSD and/or Unix-like operating systems such as Linux is helpful, though not strictly necessary. Experience with pfSense is also helpful; I am not assuming any prior knowledge of pfSense although the book does not discuss the initial installation and configuration in depth and instead progresses rapidly to more advanced topics. Readers with no prior knowledge of pfSense may be better served by starting out with a book targeted toward pfSense neophytes such as pfSense 2 Cookbook by Matt Williamson.

Since the focus in the second edition is more toward providing practical examples of pfSense in action, the reader will get more out of the book if they install pfSense and try some of the examples. Thus, having a system on which to install pfSense or being able to run pfSense in a virtual machine will be a plus. The book outlines the hardware requirements and sizing guidelines. If the reader intends to run pfSense in a virtual machine, they should run it on a system that supports 64-bit virtualization. For some of the examples such as VPNs and setting up a CARP failover group, it is helpful to set up a virtual network with multiple instances of pfSense running on the network.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://www.packtpub.com/sites/default/files/downloads/MasteringpfSenseSecondEdition_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: The nslookup utility is available on Linux, Windows, and macOS.

Any command-line input or output is written as follows:

nslookup packtpub.com 8.8.4.4

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: Navigate to System | Advanced. Make sure the Admin Access tab is selected and scroll down to the Secure Shell section of the page.

Warnings or important notes appear like this.

Tips and tricks appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: Email feedback@packtpub.com and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at questions@packtpub.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packtpub.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Revisiting pfSense Basics

While high-speed internet connectivity is becoming more and more common, many in the online world—especially those with residential connections or small office/home office (SOHO) setups—lack the hardware to fully take advantage of these speeds. Fiber-optic technology brings with it the promise of a gigabit speed or greater, and the technology surrounding traditional copper networks is also yielding improvements. Yet many people are using consumer-grade routers that offer, at best, mediocre performance.

pfSense, an open source router/firewall solution, is a far better alternative that is available to you. You have likely already downloaded, installed, and configured pfSense, possibly in a residential or SOHO environment. As an intermediate-level pfSense user, you do not need to be sold on the benefits of pfSense. Nevertheless, you may be looking to deploy pfSense in a different environment (for example, a corporate network), or you may just be looking to enhance your knowledge of pfSense. In either case, mastering the topics in this book will help you achieve these goals.

This chapter is designed to review the process of getting your pfSense system up and running. It will guide you through the process of choosing the right hardware for your deployment, but it will not provide a detailed treatment of installation and initial configuration. The emphasis will be on troubleshooting, as well as some of the newer configuration options.

This chapter will cover the following topics:

A brief overview of the pfSense project

pfSense deployment scenarios

Minimum specifications and hardware sizing guidelines

The best practices for installation and configuration

Basic configuration from both the console and the pfSense web GUI

Technical requirements

The following equipment is required for installing and configuring pfSense 2.4:

A 64-bit Intel, AMD, or ARM-based system with a 500 MHz processor or greater, at least 512 MB of RAM, and 1 GB of disk space onto which pfSense will be installed

A USB thumb drive with at least 1 GB of disk space, or blank CD media if you prefer using optical media, which will serve as the installation media

Internet access, for downloading pfSense binaries

A second computer system, for accessing the pfSense web GUI

An Ethernet switch and cabling, or a crossover cable, for connecting the second computer system to the pfSense system

If you want to try out pfSense without doing an actual installation, you can create a pfSense virtual machine. While this chapter does not provide a guide to installing pfSense into a virtual environment, I recommend the following for running pfSense in a virtual machine:

A 64-bit Intel or AMD-based system with a 2 GHz processor or greater, at least 8 GB of RAM, and enough disk space to accommodate the virtual hard drive (likely 8 GB or greater)

Either a Type 1 or Type 2 hypervisor:

Type 1 (bare-metal hypervisor; runs directly on the hardware):

VMware ESXi

Microsoft Hyper-V

Type 2 (requires an OS):

Proxmox (Linux)

Oracle VM VirtualBox (Linux, Windows, mac OS, Solaris)

Most likely you will have to create two virtual machines: one into which pfSense will be installed, and a second from which you will access the web GUI and test the functionality of the virtual pfSense system.

pfSense project overview

The origins of pfSense can be traced to the OpenBSD packet filter known as PF, which was incorporated into FreeBSD in 2001. As PF is limited to a command-line interface, several projects have been launched in order to provide a graphical interface for PF. m0n0wall, which was released in 2003, was the earliest attempt at such a project. pfSense began as a fork of the m0n0wall project.

Version 1.0 of pfSense was released on October 4, 2006. Version 2.0 was released on September 17, 2011. Version 2.1 was released on September 15, 2013, and Version 2.2 was released on January 23, 2015. Version 2.3, released on April 12, 2016, phased out support for legacy technologies such as the Point-to-Point Tunneling Protocol (PPTP), the Wireless Encryption Privacy (WEP) and Single DES, and also provided a facelift for the web GUI.

Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features and improving the web GUI. Support for 32-bit x86 architectures has been deprecated (security updates will continue for 32-bit systems, however, for at least a year after the release of 2.4), while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD's bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports OpenVPN 2.4.x, and as a result, features such as AES-GCM ciphers can be utilized. In addition, pfSense now supports multiple languages; the web GUI has been translated into 13 different languages. At the time of writing, version 2.4.2, released on November 21, 2017, is the most recent version.

Possible deployment scenarios

Once you have decided to add a pfSense system to your network, you need to consider how it is going to be deployed on your network. pfSense is suitable for a variety of networks, from small to large ones, and can be employed in a variety of deployment scenarios. In this section, we will cover the following possible uses for pfSense:

Perimeter firewall

Router

Switch

Wireless router/wireless access point

The most common way to add pfSense to your network is to use it as a perimeter firewall, as shown in the diagram. In this scenario, your internet connection is connected to one port on the pfSense system, and your local network is connected to another port on the system. The port connected to the internet is known as the WAN interface, and the port connected to the local network is known as the LAN interface:

Diagram showing deployment scenario in which pfSense is the firewall

If pfSense is your perimeter firewall, you may choose to set it up as a dedicated firewall, or you might want to have it perform the double duty of a firewall and a router. You may also choose to have more than two interfaces in your pfSense system (known as optional interfaces). In order to act as a perimeter firewall, however, a pfSense system requires at least two interfaces: a WAN interface (to connect to outside networks), and a LAN interface (to connect to the local network).

The perimeter firewall performs two broad functions. The first, monitoring and controlling inbound traffic, should be fairly obvious. Allowing certain traffic on certain ports, while blocking all other traffic, is a core function of all firewalls. The second, monitoring and controlling outbound traffic, might seem less obvious but is also important. Outbound web traffic tends to pass through the firewall unchallenged. This, however, leaves our network vulnerable to malware that targets web browsers. To protect our networks against such threats, we need to monitor outbound traffic as well.

It is commonplace to set up the networks behind the firewall with a split architecture, with assets accessible from the internet being kept separate from the rest of the network. In such cases, the internet-accessible resources are placed on a separate network generally referred to as the demilitarized zone (DMZ). If your network requires such a setup, you can easily do this with pfSense as your perimeter firewall, as we will see later.

In more complex network setups, your pfSense system may have to exchange routing information with other routers on the network. There are two types of protocols for exchanging such information: distance vector protocols obtain their routing information by exchanging information with neighboring routers; routers use link-state protocols to build a map of the network in order to calculate the shortest path to another router, with each router calculating distances independently. pfSense is capable of running both types of protocols. Packages are available for distance vector protocols such as RIP and RIPv2, and link-state protocols such as Border Gateway Protocol (BGP). These protocols will be discussed in greater detail in Chapter 10, Routing and Bridging.

Another common deployment scenario is to set up pfSense as a router. In a home or SOHO environment, firewall and router functions are often performed by the same device. In mid-sized to large networks, however, the router is a device separate from that of the perimeter firewall.

In larger networks, which have several network segments, pfSense can be used to connect these segments. Traditionally, using a router to connect multiple networks requires multiple network interfaces on the router. However, with VLANs, we can use a single network interface card (NIC) to operate in multiple broadcast domains via 802.1q tagging. VLANs are often used with the ever-popular router on a stick configuration, in which the router has a single physical connection to a switch (this connection is known as a trunk), with the single Ethernet interface divided into multiple VLANs, and the router forwarding packets between the VLANs. One of the advantages of this setup is that it only requires a single port, and, as a result, it allows us to use pfSense with systems on when adding another NIC would be cumbersome or even impossible: for example, a laptop or certain thin clients. We will cover VLANs in greater depth in Chapter 3, VLANS.

In most cases, where pfSense is deployed as a router on mid-sized and large networks, it would be used to connect different LAN segments; however, it could also be used as a WAN router. In this case, pfSense's function would be to provide a private WAN connection to the end user.

Another possible deployment scenario is to use pfSense as a switch. If you have multiple interfaces on your pfSense system and bridge them together, pfSense can function as a switch. This is a far less common scenario, however, for several reasons:

Using pfSense as a switch is generally not cost effective. You can purchase a five-port Ethernet switch for less than what it would cost to purchase the hardware for a pfSense system. Buying a commercially available switch will also save you money in the long run, as they likely would consume far less power than whatever computer you would be using to run pfSense.

Commercially available switches will likely outperform pfSense, as pfSense will process all packets that pass between ports, while a typical Ethernet switch will handle them locally with dedicated hardware made specifically for passing data between ports quickly. While you can disable filtering entirely in pfSense if you know what you're doing, you will still be limited by the speed of the bus on which your network cards reside, whether it is PCI, PCI-X, or PCI Express (PCI-e).

There is also the administrative overhead of using pfSense as a switch. Simple switches are designed to be Plug and Play, and setting up these switches is as easy as plugging in your Ethernet cables and the power cord. Managed switches typically enable you to configure settings at the console and/or through a web interface, but in many cases, configuration is only necessary if you want to modify the operation of the switch. If you use pfSense as a switch, however, some configuration will be required.

If none of this intimidates you, then feel free to use pfSense as a switch. While you're not likely to achieve the performance level or cost savings of using a commercially available switch, you will likely learn a great deal about pfSense and networking in the process. Moreover, advances in hardware could make using pfSense as a switch viable at some point in the future. Advances in low-power consumption computers are one factor that could make this possible.

Yet another possibility is using pfSense as a wireless router/access point. A sizable proportion of modern networks incorporate some type of wireless connectivity. Connecting to a network's wireless is not only easier, but in some cases, running an Ethernet cable is not a realistic option. With pfSense, you can add wireless networking capabilities to your system by adding a wireless network card, provided that the network card is supported by FreeBSD.

Generally, however, using pfSense as a wireless router or access point is not the best option. Support for wireless network cards in FreeBSD leaves something to be desired. Support for the IEEE's 802.11b and g standards is okay, but support for 802.11n and 802.11ac is not very good.

A more likely solution is to buy a wireless router (even if it is one of the aforementioned consumer-grade units), set it up to act solely as an access point, connect it to the LAN port of your pfSense system, and let pfSense act as a Dynamic Host Configuration Protocol (DHCP) server. A typical router will work fine as a dedicated wireless access point, and they are more likely to support the latest wireless networking standards than pfSense. Another possibility is to buy a dedicated wireless access point. These are generally inexpensive and some have such features as multiple SSIDs, which allow you to set up multiple wireless networks (for example, you could have a separate guest network which is completely isolated from other local networks). Using pfSense as a router, in combination with a commercial wireless access point, is likely the least-troublesome option.

Hardware requirements and sizing guidelines

Once you have decided where to deploy pfSense on your network, you should have a clearer idea of what your hardware requirements are. As a minimum, you will need a CPU, motherboard, memory (RAM), some form of disk storage, and at least two network interfaces (unless you are opting for a router on a stick setup, in which case you only need one network interface). You may also need one or more optional interfaces.

Minimum hardware requirements

The starting point for our discussion on hardware requirements is the pfSense minimum specifications. As of January 2018, the minimum hardware requirements are as follows (these specifications are from the official pfSense site, https://www.pfsense.org):

CPU – 500 MHz (1 GHz recommended)

RAM – 512 MB (1 GB recommended)

pfSense requires a 64-bit Intel (x86-64) or AMD (amd64) CPU. You should also use a CPU that supports the AES-NI instruction set extensions (or another hardware crypto offload), as such a CPU will be required, starting with version 2.5. There are three separate images provided for these architectures: CD, CD on a USB memstick, and an image for ARM-based Netgate systems. The active default console for the CD and CD on USB memstick images is VGA, while the active default console for the Netgate image is serial. The NanoBSD images (for embedded systems, which enabled the serial console by default) have been deprecated with the release of version 2.4. The serial console can be enabled on images which default to VGA via the web GUI under System | Advanced.

A pfSense installation requires at least 1 GB of disk space. If you are installing on an embedded device, you can access the console either by a serial or VGA port. A step-by-step installation guide for the pfSense Live CD can be found on the official pfSense website at: https://doc.pfsense.org/index.php/Installing_pfSense.

Version 2.3 eliminated the Live CD, which allowed you to try out pfSense without installing it onto other media. If you really want to use the Live CD, however, you could use a pre-2.3 image (version 2.2.6 or earlier). You can always upgrade to the latest version of pfSense after installation.

Installation onto either a hard disk drive (HDD) or a solid-state drive (SSD) is the most common option for a full install of pfSense, whereas embedded installs typically use CF, SD, or USB media. A full install of the current version of pfSense will fit onto a 1 GB drive, but will leave little room for installation of packages or for log files. Any activity that requires caching, such as running a proxy server, will also require additional disk space.

The last installation option in the table is installation onto an embedded system using the Netgate ADI image. Netgate currently sells several ARM-based systems such as the SG-3100, which is advertised as an appliance that can be used in many deployment scenarios, including as a firewall, LAN or WAN router, VPN appliance, and DHCP or DNS server. It is targeted towards small and medium-sized businesses and may appeal to home and business users seeking a reliable firewall appliance with a low total cost of ownership. Storage (without upgrading) is limited to 8 GB of eMMC Flash, which would limit which packages could be installed. Another Netgate option is the SG-1000, which is a bare bones router with only 2 Ethernet ports, 512 MB of RAM and 4 GB of eMMC Flash.

Hardware sizing guidelines

The minimum hardware requirements are general guidelines, and you may want to exceed these minimums based on different factors. It may be useful to consider these factors when determining what CPU, memory, and storage device to use:

For the CPU, requirements increase for faster internet connections.

Guidelines for the CPU and network cards can be found at the official pfSense site at http://pfsense.org/hardware/#requirements.

The following general guidelines apply: the minimum hardware specifications (Intel/AMD CPU of 500 MHz or greater) are valid up to 20 Mbps. CPU requirements begin to increase at speeds greater than 20 Mbps.

Connections of 100 Mbps or faster will require PCI-E network adapters to keep up with the increased network throughput.

If you intend to use pfSense to bridge interfaces—for example, if you want to bridge a wireless and wired network, or if you want to use pfSense as a switch—then the PCI bus speed should be considered. The PCI bus can easily become a bottleneck. Therefore, in such scenarios, using PCI-e hardware is the better option, as it offers up to 31.51 GBps (for PCI-e v. 4.0 on a 16-lane slot) versus 533 MBps for the fastest conventional PCI buses.

If you plan on using pfSense as a VPN server, then you should take into account the effect VPN usage will have on the CPU. Each VPN connection requires the CPU to encrypt traffic, and the more connections there are, the more the CPU will be taxed. Generally, the most cost-effective solution is to use a more powerful CPU. But there are ways to reduce the CPU load from VPN traffic. Soekris has the vpn14x1 product range; these cards offload the CPU of the computing intensive tasks of encryption and compression. AES-NI acceleration of IPSec also significantly reduces the CPU requirements.

If you have hundreds of simultaneous captive portal users, you will require slightly more CPU power than you would otherwise. Captive portal usage does not put as much of a load on the CPU as VPN usage, but if you anticipate having a lot of captive portal users, you will want to take this into consideration.

If you're not a power user, 512 MB of RAM might be enough for your pfSense system. This, however, would leave little room for the state table (where, as mentioned earlier, active connections are tracked). Each state requires about 1 KB of memory, which is less memory than some consumer-grade routers require, but you still want to be mindful of RAM if you anticipate having a lot of simultaneous connections. The other components of pfSense require 32 to 48 MB of RAM, and possibly more, depending on which features you are using, so you have to subtract that from the available memory in calculating the maximum state table size:

Installing packages can also increase your RAM requirements; Snort and ntop are two such examples. You should also probably not install packages if you have limited disk space. Proxy servers in particular use up a fair amount of disk space, which is something you should probably consider if you plan on installing a proxy server such as Squid.

The amount of disk space, as well as the form of storage you utilize, will likely be dictated by what packages you install, and what forms of logging you will have enabled. Some packages are more taxing on storage than others. Some packages require more disk space than others. Proxies such as Squid store web pages; anti-spam programs such as pfBlocker download lists of blocked IP addresses, and therefore require additional disk space. Proxies also tend to perform a great deal of read and write operations; therefore, if you are going to install a proxy, disk I/O performance is something you should likely take into consideration.

You may be tempted to opt for the cheapest NICs. However, inexpensive NICs often have complex drivers that offload most of the processing to the CPU. They can saturate your CPU with interrupt handling, thus causing missed packets. Cheaper network cards typically have smaller buffers (often no more than 300 KB), and when the buffers become full, packets are dropped. In addition, many of them do not support Ethernet frames that are larger than the maximum transmission unit (MTU) of 1,500 bytes. NICs that do not support larger frames cannot send or receive jumbo frames (frames with an MTU larger than 1,500 bytes), and therefore they cannot take advantage of the performance improvement that using jumbo frames would bring. In addition, such NICs will often have problems with VLAN traffic, since a VLAN tag increases the size of the Ethernet header beyond the traditional size limit.

The pfSense project recommends NICs based on Intel chipsets, and there are several reasons why such NICs are considered reliable. They tend to have adequately sized buffers, and do not have problems processing larger frames. Moreover, the drivers tend to be well-written and work well with Unix-based operating systems.

For a typical pfSense setup, you will need two network interfaces: one for the WAN and one for the LAN. Each additional subnet (for example, for a guest network) will require an additional interface, as will each additional WAN interface. It should be noted that you don't need an additional card for each interface added; you can buy a multiport network card (most of such cards have either two or four ports). You don't need to buy new NICs for your pfSense system; in fact, it is often economical to buy used NICs, and except in rare cases, the performance level will be the same.

If you want to incorporate wireless connectivity into your network, you may consider adding a wireless card to your pfSense system. As mentioned earlier, however, the likely better option is to use pfSense in conjunction with a separate wireless access point. If you do decide to add a wireless card to your system and configure it for use as an access point, you will want to check the FreeBSD hardware compatibility list before making a purchase.

The best practices for installation and configuration

Once you have chosen your hardware and which version you are going to install, you can download pfSense.

Browse to the Downloads section of pfsense.org and select the appropriate computer architecture (32-bit, 64-bit, or Netgate ADI), the appropriate platform (Live CD, memstick, or embedded), and you should be presented with a list of mirrors. Choose the closest one for the best performance.

You will also want to download the SHA256 checksum file in order to verify the integrity of the downloaded image. Verifying the integrity of downloads serves two purposes:

It ensures that the download completed

It safeguards against a party maliciously tampering with the images

In order to safeguard against the latter, however, be sure to download the checksum from a different mirror site than the site from which you downloaded the image. This provides an additional measure of security should an individual mirror site be compromised.

Windows has several utilities for displaying SHA256 hashes for a file. Under BSD and Linux, generating the SHA256 hash is as easy as typing the following command:

shasum -a 256 pfSense-LiveCD-2.4.2-RELEASE-amd64.iso.gz

This command generates the MD5 checksum for the 64-bit Live CD version for pfSense 2.4.2. You should compare the resulting hash with the contents of the .sha256 file downloaded from one of the (other) mirrors.

The initial pfSense boot menu when booting from a CD or USB drive

If the system hangs during the boot process, there are several options you can try. The first menu that appears, as pfSense boots, has several options. The last two options are Kernel and Configure Boot Options. Kernel allows you to select which kernel to boot from among the available kernels.

If you have a reason to suspect that the FreeBSD kernel being used is not compatible with your hardware, you might want to switch to the older version. Configure Boot Options launches a menu (shown in the preceding screenshot) with several useful options. A description of these options can be found at: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/. Toggling [A]CPI Support to off can help in some cases, as ACPI's hardware discovery and configuration capabilities may cause the pfSense boot process to hang. If turning this off doesn't work, you could try booting in Safe [M]ode, and if all else fails, you can toggle [V]erbose mode to On, which will give you detailed messages while booting.

While booting, pfSense provides information about your hardware, including expansion buses supported, network interfaces found, and USB support. When this is finished, the graphical installer will launch and you will see the copyright and distribution notice.

Select Accept and press Enter to accept these terms and conditions and continue with the installation.

The installer then provides you with three options: Install pfSense, Rescue Shell, and Recover config.xml. The Rescue Shell option launches a BSD shell prompt from which you can perform functions that might prove helpful in repairing a non-functional pfSense system.

For example, you can copy, delete and edit files from the shell prompt. If you suspect that a recent configuration change is what caused pfSense to break, however, and you saved the configuration file before making the change, the easiest way to fix your system may be to invoke Recover config.xml and restore pfSense from the previously-saved config.xml file.

The next screen provides keymap options. Version 2.4.2 supports 99 different keyboard layouts, including both QWERTY and Dvorak layouts. Highlighting a keymap option and pressing Enter selects that option. There's also an option to test the default keymap, and an option to continue with the default keymap.

Select Accept and press Enter when you have selected a keymap.

Next, the installer provides the following disk partitioning options: Auto (UFS), Manual, Shell, and Auto (ZFS). The first and last options allow you to format the disk with the Unix File System (UFS) and Oracle's ZFS respectively.

There are advantages and disadvantages to each filesystem, but the following table should help in your decision. Note that both filesystems support file ownership, and file creation/last access timestamps.

In general, UFS is the tried-and-true filesystem, while ZFS was created with security in mind and incorporates many newer features such as filesystem-level encryption and data checksums.

pfSense does not support converting the filesystem to ZFS after installation; ZFS formatting must be done before installation.

Manual, as the name implies, allows you to manually create, delete and modify partitions. There are several choices for partition types; you can even create an Apple Partition Map (APM) or a DOS partition, if that suits you. The Shell option drops you to a BSD shell prompt from which you can also manually create, delete and modify partitions, using shell commands.

If you chose ZFS, the next screen will present a series of options that allow you to further configure your ZFS volume.

Pool Type/Disks allows you to select the type of redundancy. The default option is stripe, which provides no redundancy at all. The mirror option provides for duplicate volumes, in which the array continues to operate as long as one drive is functioning. The raid10 option combines mirroring and striping (it is an array of mirrored drives). It requires at least four drives; the array continues to operate if one drive fails; up to half the drives in the RAID can fail so long as they aren't all from the same subset.

The next three options, raidz1, raidz2, and raidz3, are non-standard RAID options. Like