pfSense Cheatsheet¶
pfSense ist eine kostenlose und Open-Source-Firewall- und Routerverteilung basierend auf FreeBSD. Es bietet eine umfassende Netzwerksicherheitsplattform mit erweiterten Funktionen, einschließlich Stateful Paket Filtering, VPN-Funktionen, Verkehrsformung, Lastausgleich und Intrusionserkennung. pfSense ist weit verbreitet in Unternehmensumgebungen und Heimnetzwerken für seine robusten Sicherheitsfunktionen und benutzerfreundliche Web-Schnittstelle.
Installation und Inbetriebnahme¶
Hardwareanforderungen¶
```bash
Minimum Requirements¶
CPU: 500 MHz (1 GHz recommended) RAM: 512 MB (1 GB recommended) Storage: 4 GB (8 GB recommended) Network: 2 NICs minimum (WAN + LAN)
Recommended for Enterprise¶
CPU: Multi-core 2+ GHz RAM: 4+ GB Storage: 40+ GB SSD Network: Multiple gigabit NICs ```_
Installationsprozess¶
```bash
Download pfSense ISO¶
wget https://www.pfsense.org/download/
Create bootable USB¶
dd if=pfSense-CE-2.7.0-RELEASE-amd64.iso of=/dev/sdX bs=4M status=progress
Boot from USB and follow installer¶
1. Accept license¶
2. Install pfSense¶
3. Select target disk¶
4. Reboot and remove installation media¶
```_
Erstkonfiguration¶
```bash
Console Setup Menu¶
1) Assign Interfaces 2) Set interface(s) IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell
Basic Network Setup¶
WAN Interface: DHCP or Static IP¶
LAN Interface: 192.168.1.1/24 (default)¶
WebGUI: https://192.168.1.1¶
Default credentials: admin/pfsense¶
```_
Web Interface Navigation¶
Dashboard Übersicht¶
```bash
Main Dashboard Widgets¶
System Information Interface Statistics Gateway Status Traffic Graphs System Activity Services Status Thermal Sensors Load Balancer Status
Customizing Dashboard¶
Status > Dashboard Add/Remove widgets Drag and drop to reorder Configure widget settings ```_
Menüstruktur¶
```bash
System Menu¶
System > General Setup System > Advanced System > Cert. Manager System > User Manager System > Package Manager System > High Avail Sync
Interfaces Menu¶
Interfaces > Assignments Interfaces > WAN/LAN/OPT Interfaces > VLANs Interfaces > Wireless
Firewall Menu¶
Firewall > Rules Firewall > NAT Firewall > Aliases Firewall > Schedules Firewall > Virtual IPs
Services Menu¶
Services > DHCP Server Services > DNS Resolver Services > Dynamic DNS Services > SNMP Services > UPnP & NAT-PMP
VPN Menu¶
VPN > IPsec VPN > OpenVPN VPN > WireGuard VPN > L2TP
Status Menu¶
Status > System Logs Status > Monitoring Status > Services Status > Interfaces Status > Gateways
Diagnostics Menu¶
Diagnostics > Ping Diagnostics > Traceroute Diagnostics > DNS Lookup Diagnostics > Packet Capture ```_
Firewall Regeln Konfiguration¶
Grundregelstruktur¶
```bash
Rule Components¶
Action: Pass/Block/Reject Interface: WAN/LAN/OPT Direction: In/Out Protocol: TCP/UDP/ICMP/Any Source: IP/Network/Alias Destination: IP/Network/Alias Port: Specific/Range/Any
Default Rules¶
LAN to Any: Pass (allow LAN internet access) WAN to Any: Block (block inbound connections) Anti-lockout: Pass (prevent GUI lockout) ```_
Erstellung von Firewall-Regeln¶
```bash
Navigate to Firewall > Rules¶
Select interface (WAN/LAN/OPT)¶
Click "Add" button (up arrow for top, down for bottom)¶
Rule Configuration¶
Action: Pass/Block/Reject Disabled: Checkbox to disable rule Interface: Auto-selected based on current interface Address Family: IPv4/IPv6/IPv4+IPv6 Protocol: TCP/UDP/ICMP/Any
Source Configuration¶
Source Type: Single host/Network/Any Source Address: IP or network range Source Port Range: From/To ports
Destination Configuration¶
Destination Type: Single host/Network/Any Destination Address: IP or network range Destination Port Range: From/To ports
Extra Options¶
Log: Enable logging for this rule Description: Rule description Advanced Options: Additional settings ```_
Gemeinsame Regelbeispiele¶
```bash
Allow HTTP/HTTPS from LAN to Internet¶
Action: Pass Interface: LAN Protocol: TCP Source: LAN net Destination: Any Destination Port: 80,443
Block P2P Traffic¶
Action: Block Interface: LAN Protocol: TCP/UDP Source: LAN net Destination: Any Destination Port: 1024-65535 Description: Block P2P traffic
Allow SSH from Specific IP¶
Action: Pass Interface: WAN Protocol: TCP Source: 203.0.113.10 Destination: WAN address Destination Port: 22
Block Social Media¶
Action: Block Interface: LAN Protocol: TCP Source: LAN net Destination: SocialMedia_Alias Destination Port: 80,443 ```_
Network Address Translation (NAT)¶
Port Forwarding¶
```bash
Navigate to Firewall > NAT > Port Forward¶
Click "Add" to create new rule¶
Port Forward Configuration¶
Interface: WAN (typically) Protocol: TCP/UDP/TCP+UDP Source: Any (or specific IP) Source Port Range: Any (typically) Destination: WAN address Destination Port Range: External port Redirect Target IP: Internal server IP Redirect Target Port: Internal port Description: Rule description
Example: Web Server Port Forward¶
Interface: WAN Protocol: TCP Destination Port: 80 Redirect Target IP: 192.168.1.100 Redirect Target Port: 80 Description: Web server port forward ```_
NAT¶
```bash
Navigate to Firewall > NAT > 1:1¶
Used for static NAT mapping¶
1:1 NAT Configuration¶
Interface: WAN External Subnet IP: Public IP Internal IP: Private IP Destination: Any Description: Static NAT mapping
Example: DMZ Server¶
External Subnet IP: 203.0.113.10 Internal IP: 192.168.1.100 ```_
NAT¶
```bash
Navigate to Firewall > NAT > Outbound¶
Modes: Automatic/Hybrid/Manual¶
Manual Outbound NAT Rule¶
Interface: WAN Protocol: Any Source Type: Network Source: 192.168.1.0/24 Source Port: Any Destination Type: Any Destination Port: Any Translation Address: Interface address Translation Port: Any Static Port: Unchecked (typically) ```_
DHCP Serverkonfiguration¶
Basis DHCP Setup¶
```bash
Navigate to Services > DHCP Server¶
Select interface (LAN/OPT)¶
General Options¶
Enable: Check to enable DHCP Deny unknown clients: Uncheck for normal operation Subnet: Auto-filled from interface Subnet Mask: Auto-filled from interface Available Range: Shows available IP range
Range Configuration¶
Range From: Start of DHCP pool Range To: End of DHCP pool WINS Servers: Windows name servers DNS Servers: Custom DNS servers (optional)
Example Configuration¶
Range From: 192.168.1.100 Range To: 192.168.1.200 DNS Servers: 8.8.8.8, 8.8.4.4 ```_
DHCP Reservierungen¶
```bash
Static DHCP Mappings¶
Navigate to Services > DHCP Server¶
Scroll to "DHCP Static Mappings for this Interface"¶
Static Mapping Configuration¶
MAC Address: Client MAC address Client Identifier: Alternative to MAC IP Address: Reserved IP address Hostname: Client hostname Description: Mapping description
Example: Server Reservation¶
MAC Address: 00:11:22:33:44:55 IP Address: 192.168.1.50 Hostname: fileserver Description: File server static IP ```_
Erweiterte DHCP-Optionen¶
```bash
Additional DHCP Options¶
Default Lease Time: 7200 seconds Maximum Lease Time: 86400 seconds Failover Peer IP: For DHCP failover Static ARP: Create static ARP entries Enable Network Booting: For PXE boot Next Server: TFTP server for PXE Default BIOS File Name: PXE boot file
Custom DHCP Options¶
Number: DHCP option number Type: Text/String/Boolean/Unsigned Integer Value: Option value ```_
VPN Konfiguration¶
OpenVPN Server Setup¶
```bash
Navigate to VPN > OpenVPN > Servers¶
Click "Add" to create new server¶
General Information¶
Server Mode: Remote Access (SSL/TLS) Protocol: UDP (recommended) Interface: WAN Local Port: 1194 (default) Description: OpenVPN Server
Cryptographic Settings¶
TLS Configuration: Use a TLS Key Peer Certificate Authority: Select CA Server Certificate: Select server cert DH Parameter Length: 2048 bit Encryption Algorithm: AES-256-CBC Auth Digest Algorithm: SHA256
Tunnel Settings¶
IPv4 Tunnel Network: 10.0.8.0/24 IPv4 Local Network: 192.168.1.0/24 Concurrent Connections: 10 Compression: Adaptive LZO Compression
Client Settings¶
Dynamic IP: Allow connected clients to retain their connections Address Pool: Use a pool of addresses DNS Default Domain: Local domain DNS Servers: 192.168.1.1 ```_
OpenVPN Client Konfiguration¶
```bash
Navigate to VPN > OpenVPN > Clients¶
Click "Add" to create new client¶
General Information¶
Server Mode: Peer to Peer (SSL/TLS) Protocol: UDP Interface: WAN Server Host or Address: Remote server IP/hostname Server Port: 1194 Description: OpenVPN Client
User Authentication¶
Username/Password: If required Authentication Only: For additional security
Cryptographic Settings¶
Peer Certificate Authority: Remote CA Client Certificate: Client certificate Encryption Algorithm: Match server settings Auth Digest Algorithm: Match server settings
Advanced Configuration¶
Custom Options: Additional OpenVPN directives ```_
IPsec VPN Setup¶
```bash
Navigate to VPN > IPsec > Tunnels¶
Click "Add P1" to create Phase 1¶
Phase 1 (IKE) Configuration¶
General Information: Remote Gateway: Peer IP address Description: Tunnel description
Proposal (Authentication): Authentication Method: Mutual PSK Negotiation Mode: Main My Identifier: My IP address Peer Identifier: Peer IP address Pre-Shared Key: Shared secret
Proposal (Algorithms): Encryption Algorithm: AES 256 Hash Algorithm: SHA256 DH Group: 14 (2048 bit) Lifetime: 28800 seconds
Phase 2 (IPsec) Configuration¶
General Information: Mode: Tunnel IPv4 Local Network: 192.168.1.0/24 Remote Network: 192.168.2.0/24
Proposal (SA/Key Exchange): Protocol: ESP Encryption Algorithms: AES 256 Hash Algorithms: SHA256 PFS Key Group: 14 (2048 bit) Lifetime: 3600 seconds ```_
WireGuard VPN¶
```bash
Navigate to VPN > WireGuard > Settings¶
Enable WireGuard and apply changes¶
Create WireGuard Tunnel¶
Navigate to VPN > WireGuard > Tunnels Click "Add Tunnel"
Tunnel Configuration¶
Enabled: Check Description: WireGuard Server Listen Port: 51820 Interface Keys: Generate new keys Interface Addresses: 10.0.9.1/24
Add Peers¶
Click "Add Peer" Enabled: Check Description: Client 1 Public Key: Client public key Allowed IPs: 10.0.9.2/32 Endpoint: Leave empty for server Persistent Keepalive: 25 seconds ```_
Traffic Shaping und QoS¶
Verkehrsformer Konfiguration¶
```bash
Navigate to Firewall > Traffic Shaper¶
Select interface and bandwidth¶
Bandwidth Settings¶
Interface: WAN/LAN Scheduler Type: HFSC (recommended) Bandwidth: Available bandwidth Burst: Burst allowance
Create Queues¶
Root Queue: Total bandwidth Child Queues: Service categories - High Priority: VoIP, Gaming - Medium Priority: Web browsing - Low Priority: File transfers
Queue Configuration¶
Queue Name: Descriptive name Priority: 1-7 (7 highest) Bandwidth: Allocated bandwidth Burst: Burst allowance Description: Queue description ```_
Limiter Konfiguration¶
```bash
Navigate to Firewall > Traffic Shaper > Limiters¶
Click "New Limiter"¶
Limiter Settings¶
Enable: Check Name: Limiter name Bandwidth: Speed limit Mask: none/Src/Dst Description: Limiter description
Apply to Firewall Rules¶
Navigate to Firewall > Rules Edit existing rule or create new Advanced Features > In/Out pipe Select appropriate limiter
Example: Bandwidth Limiting¶
Name: Download_Limit Bandwidth: 10 Mbps Mask: Destination addresses Apply to: LAN rules for internet access ```_
Überwachung und Protokollierung¶
Systemprotokolle¶
```bash
Navigate to Status > System Logs¶
Log Categories¶
System: General system events Firewall: Firewall rule matches DHCP: DHCP server events Portal: Captive portal events VPN: VPN connection events Wireless: Wireless events Resolver: DNS resolver events
Log Settings¶
Navigate to Status > System Logs > Settings Log File Size: Maximum log size Log Entries: Number of entries to display Reverse Display: Newest entries first GUI Log Entries: Web interface log size
Remote Logging¶
Remote Log Servers: Syslog server IPs Remote Syslog Contents: What to send ```_
Verkehrsüberwachung¶
```bash
Navigate to Status > Monitoring¶
Traffic Graphs¶
Interface Traffic: Real-time graphs Quality: Packet loss and latency Queues: Traffic shaper queue usage QualityRRD: Historical quality data System: CPU and memory usage
Bandwidth Monitor¶
Navigate to Diagnostics > pfTop Real-time bandwidth usage by IP Sort by various criteria Filter by interface or protocol
Status > Traffic Graph¶
Real-time interface statistics Configurable time periods Multiple interfaces simultaneously ```_
Packing Capture¶
```bash
Navigate to Diagnostics > Packet Capture¶
Capture Settings¶
Interface: Select interface to monitor Host Address: Specific IP to capture Port: Specific port to capture Protocol: TCP/UDP/ICMP/Any Packet Length: Bytes to capture Count: Number of packets Detail Level: Normal/Medium/High/Full
Capture Filters¶
host 192.168.1.100: Specific host port 80: Specific port tcp and port 443: TCP on port 443 not port 22: Exclude SSH traffic
Download and Analysis¶
Download captured packets Analyze with Wireshark Save for later analysis ```_
Hohe Verfügbarkeit und Clustering¶
KARTE Konfiguration¶
```bash
Navigate to System > High Avail Sync¶
CARP Settings¶
Synchronize States: Check Synchronize Interface: LAN Synchronize Config to IP: Secondary firewall IP Remote System Username: admin Remote System Password: Password Synchronize Users and Groups: Check Synchronize Certificates: Check
CARP Virtual IPs¶
Navigate to Firewall > Virtual IPs Type: CARP Interface: Shared interface Address: Virtual IP address Subnet Mask: Network mask VHID Group: 1-255 (unique per segment) Advertising Frequency: Base/Skew Password: CARP password Description: CARP VIP description ```_
Staatssynchronisation¶
```bash
pfsync Configuration¶
Navigate to System > High Avail Sync Synchronize States: Enable pfsync Interface: Dedicated sync interface pfsync Peer IP: Other firewall's sync IP
Automatic Failover¶
Primary firewall: CARP priority 0 Secondary firewall: CARP priority 100 Lower number = higher priority Automatic promotion on failure ```_
Paketmanagement¶
Installation von Paketen¶
```bash
Navigate to System > Package Manager¶
Available Packages tab¶
Popular Packages¶
pfBlockerNG: IP and DNS blocking Suricata: Intrusion Detection System ntopng: Network Traffic Monitor FreeRADIUS: RADIUS server Squid: Proxy server HAProxy: Load balancer OpenVPN Client Export: VPN client configs Zabbix Agent: Monitoring agent
Package Installation¶
Search for package Click "Install" button Confirm installation Configure package settings ```_
Paketkonfiguration¶
```bash
pfBlockerNG Configuration¶
Navigate to Firewall > pfBlockerNG Enable pfBlockerNG Configure IP blocking lists Configure DNS blocking lists Set update frequency Apply changes
Suricata Configuration¶
Navigate to Services > Suricata Enable Suricata on interfaces Download rule sets Configure rule categories Set logging options Start Suricata service
Squid Proxy Configuration¶
Navigate to Services > Squid Proxy Server Enable Squid proxy Set proxy port (3128) Configure access control Set cache settings Configure authentication ```_
Kommandozeilenschnittstelle¶
Zugriff auf die Konsole¶
```bash
Physical console access¶
Connect serial cable 115200 baud, 8N1 Terminal emulator (PuTTY, screen)
SSH Access¶
ssh admin@192.168.1.1 Enter password Access to FreeBSD shell
Common Commands¶
pfctl -s rules: Show firewall rules pfctl -s states: Show connection states pfctl -s info: Show pfctl statistics ifconfig: Show interface configuration netstat -rn: Show routing table top: Show system processes ```_
Konfigurations-Backup/Restore¶
```bash
Web Interface Backup¶
Navigate to Diagnostics > Backup & Restore Configuration area: All Backup configuration: Download XML Restore configuration: Upload XML
Command Line Backup¶
Backup configuration¶
cp /cf/conf/config.xml /tmp/config-backup.xml
Restore configuration¶
cp /tmp/config-backup.xml /cf/conf/config.xml /etc/rc.reload_all
Automatic Backup¶
Navigate to Diagnostics > Auto Config Backup Enable automatic backups Set backup frequency Configure encryption ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Interface Not Working¶
Check cable connections Verify interface assignment Check IP configuration Review firewall rules Test with packet capture
VPN Connection Issues¶
Verify certificates Check firewall rules Review VPN logs Test connectivity Verify routing
Performance Issues¶
Check CPU usage Monitor memory usage Review traffic graphs Check for bottlenecks Optimize rules
DNS Resolution Problems¶
Check DNS settings Verify forwarders Test DNS lookup Review resolver logs Check firewall rules ```_
Diagnosewerkzeuge¶
```bash
Built-in Diagnostics¶
Ping: Test connectivity Traceroute: Trace network path DNS Lookup: Test DNS resolution ARP Table: View ARP entries NDP Table: View IPv6 neighbors Routes: View routing table Sockets: Show network sockets States: Show firewall states
Log Analysis¶
System logs: General issues Firewall logs: Rule matches DHCP logs: IP assignments VPN logs: Connection issues Gateway logs: WAN problems
Performance Monitoring¶
Status > Monitoring: Traffic graphs Status > RRD Graphs: Historical data Diagnostics > pfInfo: System info Diagnostics > pfTop: Real-time stats ```_
Sicherheit Best Practices¶
Harding pfSense¶
```bash
System Hardening¶
Change default passwords Disable unused services Enable secure protocols only Configure proper time sync Regular security updates
Access Control¶
Limit admin access Use strong passwords Enable two-factor authentication Restrict SSH access Monitor login attempts
Network Security¶
Block unnecessary ports Use VLANs for segmentation Implement proper NAT rules Configure intrusion detection Regular rule review
Monitoring¶
Enable comprehensive logging Set up log monitoring Configure alerting Regular security audits Backup configurations ```_
Firewall Rule Best Practices¶
```bash
Rule Organization¶
Order rules by specificity Most specific rules first Default deny at bottom Group related rules Use descriptive names
Security Principles¶
Principle of least privilege Explicit deny rules Log security events Regular rule review Document rule purposes
Performance Optimization¶
Minimize rule count Use aliases for efficiency Avoid overlapping rules Optimize rule order Monitor rule statistics ```_
Ressourcen¶
- pfSense Offizielle Dokumentation
- [pfSense Book](LINK_5
- [Netgate Community](LINK_5__
- (pfSense Hangout) (LINK_5)
- (LINK_5)