pfSense Cheatsheet

pfSense is a free and open-source firewall and router distribution based on FreeBSD. It provides a comprehensive network security platform with advanced features including stateful packet filtering, VPN capabilities, traffic shaping, load balancing, and intrusion detection. pfSense is widely used in enterprise environments and home networks for its robust security features and user-friendly web interface.

Installation and Initial Setup

Hardware Requirements

# Minimum Requirements
CPU: 500 MHz (1 GHz recommended)
RAM: 512 MB (1 GB recommended)
Storage: 4 GB (8 GB recommended)
Network: 2 NICs minimum (WAN + LAN)

# Recommended for Enterprise
CPU: Multi-core 2+ GHz
RAM: 4+ GB
Storage: 40+ GB SSD
Network: Multiple gigabit NICs

Installation Process

# Download pfSense ISO
wget https://www.pfsense.org/download/

# Create bootable USB
dd if=pfSense-CE-2.7.0-RELEASE-amd64.iso of=/dev/sdX bs=4M status=progress

# Boot from USB and follow installer
# 1. Accept license
# 2. Install pfSense
# 3. Select target disk
# 4. Reboot and remove installation media

Initial Configuration

# Console Setup Menu
1) Assign Interfaces
2) Set interface(s) IP address
3) Reset webConfigurator password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
8) Shell

# Basic Network Setup
# WAN Interface: DHCP or Static IP
# LAN Interface: 192.168.1.1/24 (default)
# WebGUI: https://192.168.1.1
# Default credentials: admin/pfsense

Web Interface Navigation

Dashboard Overview

# Main Dashboard Widgets
System Information
Interface Statistics
Gateway Status
Traffic Graphs
System Activity
Services Status
Thermal Sensors
Load Balancer Status

# Customizing Dashboard
Status > Dashboard
Add/Remove widgets
Drag and drop to reorder
Configure widget settings

Menu Structure

# System Menu
System > General Setup
System > Advanced
System > Cert. Manager
System > User Manager
System > Package Manager
System > High Avail Sync

# Interfaces Menu
Interfaces > Assignments
Interfaces > WAN/LAN/OPT
Interfaces > VLANs
Interfaces > Wireless

# Firewall Menu
Firewall > Rules
Firewall > NAT
Firewall > Aliases
Firewall > Schedules
Firewall > Virtual IPs

# Services Menu
Services > DHCP Server
Services > DNS Resolver
Services > Dynamic DNS
Services > SNMP
Services > UPnP & NAT-PMP

# VPN Menu
VPN > IPsec
VPN > OpenVPN
VPN > WireGuard
VPN > L2TP

# Status Menu
Status > System Logs
Status > Monitoring
Status > Services
Status > Interfaces
Status > Gateways

# Diagnostics Menu
Diagnostics > Ping
Diagnostics > Traceroute
Diagnostics > DNS Lookup
Diagnostics > Packet Capture

Firewall Rules Configuration

Basic Rule Structure

# Rule Components
Action: Pass/Block/Reject
Interface: WAN/LAN/OPT
Direction: In/Out
Protocol: TCP/UDP/ICMP/Any
Source: IP/Network/Alias
Destination: IP/Network/Alias
Port: Specific/Range/Any

# Default Rules
LAN to Any: Pass (allow LAN internet access)
WAN to Any: Block (block inbound connections)
Anti-lockout: Pass (prevent GUI lockout)

Creating Firewall Rules

# Navigate to Firewall > Rules
# Select interface (WAN/LAN/OPT)
# Click "Add" button (up arrow for top, down for bottom)

# Rule Configuration
Action: Pass/Block/Reject
Disabled: Checkbox to disable rule
Interface: Auto-selected based on current interface
Address Family: IPv4/IPv6/IPv4+IPv6
Protocol: TCP/UDP/ICMP/Any

# Source Configuration
Source Type: Single host/Network/Any
Source Address: IP or network range
Source Port Range: From/To ports

# Destination Configuration
Destination Type: Single host/Network/Any
Destination Address: IP or network range
Destination Port Range: From/To ports

# Extra Options
Log: Enable logging for this rule
Description: Rule description
Advanced Options: Additional settings

Common Rule Examples

# Allow HTTP/HTTPS from LAN to Internet
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: Any
Destination Port: 80,443

# Block P2P Traffic
Action: Block
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination: Any
Destination Port: 1024-65535
Description: Block P2P traffic

# Allow SSH from Specific IP
Action: Pass
Interface: WAN
Protocol: TCP
Source: 203.0.113.10
Destination: WAN address
Destination Port: 22

# Block Social Media
Action: Block
Interface: LAN
Protocol: TCP
Source: LAN net
Destination: SocialMedia_Alias
Destination Port: 80,443

Network Address Translation (NAT)

Port Forwarding

# Navigate to Firewall > NAT > Port Forward
# Click "Add" to create new rule

# Port Forward Configuration
Interface: WAN (typically)
Protocol: TCP/UDP/TCP+UDP
Source: Any (or specific IP)
Source Port Range: Any (typically)
Destination: WAN address
Destination Port Range: External port
Redirect Target IP: Internal server IP
Redirect Target Port: Internal port
Description: Rule description

# Example: Web Server Port Forward
Interface: WAN
Protocol: TCP
Destination Port: 80
Redirect Target IP: 192.168.1.100
Redirect Target Port: 80
Description: Web server port forward

1:1 NAT

# Navigate to Firewall > NAT > 1:1
# Used for static NAT mapping

# 1:1 NAT Configuration
Interface: WAN
External Subnet IP: Public IP
Internal IP: Private IP
Destination: Any
Description: Static NAT mapping

# Example: DMZ Server
External Subnet IP: 203.0.113.10
Internal IP: 192.168.1.100

Outbound NAT

# Navigate to Firewall > NAT > Outbound
# Modes: Automatic/Hybrid/Manual

# Manual Outbound NAT Rule
Interface: WAN
Protocol: Any
Source Type: Network
Source: 192.168.1.0/24
Source Port: Any
Destination Type: Any
Destination Port: Any
Translation Address: Interface address
Translation Port: Any
Static Port: Unchecked (typically)

DHCP Server Configuration

Basic DHCP Setup

# Navigate to Services > DHCP Server
# Select interface (LAN/OPT)

# General Options
Enable: Check to enable DHCP
Deny unknown clients: Uncheck for normal operation
Subnet: Auto-filled from interface
Subnet Mask: Auto-filled from interface
Available Range: Shows available IP range

# Range Configuration
Range From: Start of DHCP pool
Range To: End of DHCP pool
WINS Servers: Windows name servers
DNS Servers: Custom DNS servers (optional)

# Example Configuration
Range From: 192.168.1.100
Range To: 192.168.1.200
DNS Servers: 8.8.8.8, 8.8.4.4

DHCP Reservations

# Static DHCP Mappings
# Navigate to Services > DHCP Server
# Scroll to "DHCP Static Mappings for this Interface"

# Static Mapping Configuration
MAC Address: Client MAC address
Client Identifier: Alternative to MAC
IP Address: Reserved IP address
Hostname: Client hostname
Description: Mapping description

# Example: Server Reservation
MAC Address: 00:11:22:33:44:55
IP Address: 192.168.1.50
Hostname: fileserver
Description: File server static IP

Advanced DHCP Options

# Additional DHCP Options
Default Lease Time: 7200 seconds
Maximum Lease Time: 86400 seconds
Failover Peer IP: For DHCP failover
Static ARP: Create static ARP entries
Enable Network Booting: For PXE boot
Next Server: TFTP server for PXE
Default BIOS File Name: PXE boot file

# Custom DHCP Options
Number: DHCP option number
Type: Text/String/Boolean/Unsigned Integer
Value: Option value

VPN Configuration

OpenVPN Server Setup

# Navigate to VPN > OpenVPN > Servers
# Click "Add" to create new server

# General Information
Server Mode: Remote Access (SSL/TLS)
Protocol: UDP (recommended)
Interface: WAN
Local Port: 1194 (default)
Description: OpenVPN Server

# Cryptographic Settings
TLS Configuration: Use a TLS Key
Peer Certificate Authority: Select CA
Server Certificate: Select server cert
DH Parameter Length: 2048 bit
Encryption Algorithm: AES-256-CBC
Auth Digest Algorithm: SHA256

# Tunnel Settings
IPv4 Tunnel Network: 10.0.8.0/24
IPv4 Local Network: 192.168.1.0/24
Concurrent Connections: 10
Compression: Adaptive LZO Compression

# Client Settings
Dynamic IP: Allow connected clients to retain their connections
Address Pool: Use a pool of addresses
DNS Default Domain: Local domain
DNS Servers: 192.168.1.1

OpenVPN Client Configuration

# Navigate to VPN > OpenVPN > Clients
# Click "Add" to create new client

# General Information
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Interface: WAN
Server Host or Address: Remote server IP/hostname
Server Port: 1194
Description: OpenVPN Client

# User Authentication
Username/Password: If required
Authentication Only: For additional security

# Cryptographic Settings
Peer Certificate Authority: Remote CA
Client Certificate: Client certificate
Encryption Algorithm: Match server settings
Auth Digest Algorithm: Match server settings

# Advanced Configuration
Custom Options: Additional OpenVPN directives

IPsec VPN Setup

# Navigate to VPN > IPsec > Tunnels
# Click "Add P1" to create Phase 1

# Phase 1 (IKE) Configuration
General Information:
Remote Gateway: Peer IP address
Description: Tunnel description

Proposal (Authentication):
Authentication Method: Mutual PSK
Negotiation Mode: Main
My Identifier: My IP address
Peer Identifier: Peer IP address
Pre-Shared Key: Shared secret

Proposal (Algorithms):
Encryption Algorithm: AES 256
Hash Algorithm: SHA256
DH Group: 14 (2048 bit)
Lifetime: 28800 seconds

# Phase 2 (IPsec) Configuration
General Information:
Mode: Tunnel IPv4
Local Network: 192.168.1.0/24
Remote Network: 192.168.2.0/24

Proposal (SA/Key Exchange):
Protocol: ESP
Encryption Algorithms: AES 256
Hash Algorithms: SHA256
PFS Key Group: 14 (2048 bit)
Lifetime: 3600 seconds

WireGuard VPN

# Navigate to VPN > WireGuard > Settings
# Enable WireGuard and apply changes

# Create WireGuard Tunnel
Navigate to VPN > WireGuard > Tunnels
Click "Add Tunnel"

# Tunnel Configuration
Enabled: Check
Description: WireGuard Server
Listen Port: 51820
Interface Keys: Generate new keys
Interface Addresses: 10.0.9.1/24

# Add Peers
Click "Add Peer"
Enabled: Check
Description: Client 1
Public Key: Client public key
Allowed IPs: 10.0.9.2/32
Endpoint: Leave empty for server
Persistent Keepalive: 25 seconds

Traffic Shaping and QoS

Traffic Shaper Configuration

# Navigate to Firewall > Traffic Shaper
# Select interface and bandwidth

# Bandwidth Settings
Interface: WAN/LAN
Scheduler Type: HFSC (recommended)
Bandwidth: Available bandwidth
Burst: Burst allowance

# Create Queues
Root Queue: Total bandwidth
Child Queues: Service categories
- High Priority: VoIP, Gaming
- Medium Priority: Web browsing
- Low Priority: File transfers

# Queue Configuration
Queue Name: Descriptive name
Priority: 1-7 (7 highest)
Bandwidth: Allocated bandwidth
Burst: Burst allowance
Description: Queue description

Limiter Configuration

# Navigate to Firewall > Traffic Shaper > Limiters
# Click "New Limiter"

# Limiter Settings
Enable: Check
Name: Limiter name
Bandwidth: Speed limit
Mask: none/Src/Dst
Description: Limiter description

# Apply to Firewall Rules
Navigate to Firewall > Rules
Edit existing rule or create new
Advanced Features > In/Out pipe
Select appropriate limiter

# Example: Bandwidth Limiting
Name: Download_Limit
Bandwidth: 10 Mbps
Mask: Destination addresses
Apply to: LAN rules for internet access

Monitoring and Logging

System Logs

# Navigate to Status > System Logs

# Log Categories
System: General system events
Firewall: Firewall rule matches
DHCP: DHCP server events
Portal: Captive portal events
VPN: VPN connection events
Wireless: Wireless events
Resolver: DNS resolver events

# Log Settings
Navigate to Status > System Logs > Settings
Log File Size: Maximum log size
Log Entries: Number of entries to display
Reverse Display: Newest entries first
GUI Log Entries: Web interface log size

# Remote Logging
Remote Log Servers: Syslog server IPs
Remote Syslog Contents: What to send

Traffic Monitoring

# Navigate to Status > Monitoring

# Traffic Graphs
Interface Traffic: Real-time graphs
Quality: Packet loss and latency
Queues: Traffic shaper queue usage
QualityRRD: Historical quality data
System: CPU and memory usage

# Bandwidth Monitor
Navigate to Diagnostics > pfTop
Real-time bandwidth usage by IP
Sort by various criteria
Filter by interface or protocol

# Status > Traffic Graph
Real-time interface statistics
Configurable time periods
Multiple interfaces simultaneously

Packet Capture

# Navigate to Diagnostics > Packet Capture

# Capture Settings
Interface: Select interface to monitor
Host Address: Specific IP to capture
Port: Specific port to capture
Protocol: TCP/UDP/ICMP/Any
Packet Length: Bytes to capture
Count: Number of packets
Detail Level: Normal/Medium/High/Full

# Capture Filters
host 192.168.1.100: Specific host
port 80: Specific port
tcp and port 443: TCP on port 443
not port 22: Exclude SSH traffic

# Download and Analysis
Download captured packets
Analyze with Wireshark
Save for later analysis

High Availability and Clustering

CARP Configuration

# Navigate to System > High Avail Sync

# CARP Settings
Synchronize States: Check
Synchronize Interface: LAN
Synchronize Config to IP: Secondary firewall IP
Remote System Username: admin
Remote System Password: Password
Synchronize Users and Groups: Check
Synchronize Certificates: Check

# CARP Virtual IPs
Navigate to Firewall > Virtual IPs
Type: CARP
Interface: Shared interface
Address: Virtual IP address
Subnet Mask: Network mask
VHID Group: 1-255 (unique per segment)
Advertising Frequency: Base/Skew
Password: CARP password
Description: CARP VIP description

State Synchronization

# pfsync Configuration
Navigate to System > High Avail Sync
Synchronize States: Enable
pfsync Interface: Dedicated sync interface
pfsync Peer IP: Other firewall's sync IP

# Automatic Failover
Primary firewall: CARP priority 0
Secondary firewall: CARP priority 100
Lower number = higher priority
Automatic promotion on failure

Package Management

Installing Packages

# Navigate to System > Package Manager
# Available Packages tab

# Popular Packages
pfBlockerNG: IP and DNS blocking
Suricata: Intrusion Detection System
ntopng: Network Traffic Monitor
FreeRADIUS: RADIUS server
Squid: Proxy server
HAProxy: Load balancer
OpenVPN Client Export: VPN client configs
Zabbix Agent: Monitoring agent

# Package Installation
Search for package
Click "Install" button
Confirm installation
Configure package settings

Package Configuration

# pfBlockerNG Configuration
Navigate to Firewall > pfBlockerNG
Enable pfBlockerNG
Configure IP blocking lists
Configure DNS blocking lists
Set update frequency
Apply changes

# Suricata Configuration
Navigate to Services > Suricata
Enable Suricata on interfaces
Download rule sets
Configure rule categories
Set logging options
Start Suricata service

# Squid Proxy Configuration
Navigate to Services > Squid Proxy Server
Enable Squid proxy
Set proxy port (3128)
Configure access control
Set cache settings
Configure authentication

Command Line Interface

Console Access

# Physical console access
Connect serial cable
115200 baud, 8N1
Terminal emulator (PuTTY, screen)

# SSH Access
ssh admin@192.168.1.1
Enter password
Access to FreeBSD shell

# Common Commands
pfctl -s rules: Show firewall rules
pfctl -s states: Show connection states
pfctl -s info: Show pfctl statistics
ifconfig: Show interface configuration
netstat -rn: Show routing table
top: Show system processes

Configuration Backup/Restore

# Web Interface Backup
Navigate to Diagnostics > Backup & Restore
Configuration area: All
Backup configuration: Download XML
Restore configuration: Upload XML

# Command Line Backup
# Backup configuration
cp /cf/conf/config.xml /tmp/config-backup.xml

# Restore configuration
cp /tmp/config-backup.xml /cf/conf/config.xml
/etc/rc.reload_all

# Automatic Backup
Navigate to Diagnostics > Auto Config Backup
Enable automatic backups
Set backup frequency
Configure encryption

Troubleshooting

Common Issues

# Interface Not Working
Check cable connections
Verify interface assignment
Check IP configuration
Review firewall rules
Test with packet capture

# VPN Connection Issues
Verify certificates
Check firewall rules
Review VPN logs
Test connectivity
Verify routing

# Performance Issues
Check CPU usage
Monitor memory usage
Review traffic graphs
Check for bottlenecks
Optimize rules

# DNS Resolution Problems
Check DNS settings
Verify forwarders
Test DNS lookup
Review resolver logs
Check firewall rules

Diagnostic Tools

# Built-in Diagnostics
Ping: Test connectivity
Traceroute: Trace network path
DNS Lookup: Test DNS resolution
ARP Table: View ARP entries
NDP Table: View IPv6 neighbors
Routes: View routing table
Sockets: Show network sockets
States: Show firewall states

# Log Analysis
System logs: General issues
Firewall logs: Rule matches
DHCP logs: IP assignments
VPN logs: Connection issues
Gateway logs: WAN problems

# Performance Monitoring
Status > Monitoring: Traffic graphs
Status > RRD Graphs: Historical data
Diagnostics > pfInfo: System info
Diagnostics > pfTop: Real-time stats

Security Best Practices

Hardening pfSense

# System Hardening
Change default passwords
Disable unused services
Enable secure protocols only
Configure proper time sync
Regular security updates

# Access Control
Limit admin access
Use strong passwords
Enable two-factor authentication
Restrict SSH access
Monitor login attempts

# Network Security
Block unnecessary ports
Use VLANs for segmentation
Implement proper NAT rules
Configure intrusion detection
Regular rule review

# Monitoring
Enable comprehensive logging
Set up log monitoring
Configure alerting
Regular security audits
Backup configurations

Firewall Rule Best Practices

# Rule Organization
Order rules by specificity
Most specific rules first
Default deny at bottom
Group related rules
Use descriptive names

# Security Principles
Principle of least privilege
Explicit deny rules
Log security events
Regular rule review
Document rule purposes

# Performance Optimization
Minimize rule count
Use aliases for efficiency
Avoid overlapping rules
Optimize rule order
Monitor rule statistics

Resources

• pfSense Official Documentation
• pfSense Book
• Netgate Community
• pfSense Hangout
• Lawrence Systems pfSense Tutorials