pfSense Cheatsheet
pfSense ist eine kostenlose und Open-Source-Firewall- und Routerverteilung basierend auf FreeBSD. Es bietet eine umfassende Netzwerksicherheitsplattform mit erweiterten Funktionen, einschließlich Stateful Paket Filtering, VPN-Funktionen, Verkehrsformung, Lastausgleich und Intrusionserkennung. pfSense ist weit verbreitet in Unternehmensumgebungen und Heimnetzwerken für seine robusten Sicherheitsfunktionen und benutzerfreundliche Web-Schnittstelle.
Installation und Inbetriebnahme
Hardwareanforderungen
```bash
Minimum Requirements
CPU: 500 MHz (1 GHz recommended) RAM: 512 MB (1 GB recommended) Storage: 4 GB (8 GB recommended) Network: 2 NICs minimum (WAN + LAN)
Recommended for Enterprise
CPU: Multi-core 2+ GHz RAM: 4+ GB Storage: 40+ GB SSD Network: Multiple gigabit NICs ```_
Installationsprozess
```bash
Download pfSense ISO
wget https://www.pfsense.org/download/
Create bootable USB
dd if=pfSense-CE-2.7.0-RELEASE-amd64.iso of=/dev/sdX bs=4M status=progress
Boot from USB and follow installer
1. Accept license
2. Install pfSense
3. Select target disk
4. Reboot and remove installation media
```_
Erstkonfiguration
```bash
Console Setup Menu
1) Assign Interfaces 2) Set interface(s) IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell
Basic Network Setup
WAN Interface: DHCP or Static IP
LAN Interface: 192.168.1.1/24 (default)
WebGUI: https://192.168.1.1
Default credentials: admin/pfsense
```_
Web Interface Navigation
Dashboard Übersicht
```bash
Main Dashboard Widgets
System Information Interface Statistics Gateway Status Traffic Graphs System Activity Services Status Thermal Sensors Load Balancer Status
Customizing Dashboard
Status > Dashboard Add/Remove widgets Drag and drop to reorder Configure widget settings ```_
Menüstruktur
```bash
System Menu
System > General Setup System > Advanced System > Cert. Manager System > User Manager System > Package Manager System > High Avail Sync
Interfaces Menu
Interfaces > Assignments Interfaces > WAN/LAN/OPT Interfaces > VLANs Interfaces > Wireless
Firewall Menu
Firewall > Rules Firewall > NAT Firewall > Aliases Firewall > Schedules Firewall > Virtual IPs
Services Menu
Services > DHCP Server Services > DNS Resolver Services > Dynamic DNS Services > SNMP Services > UPnP & NAT-PMP
VPN Menu
VPN > IPsec VPN > OpenVPN VPN > WireGuard VPN > L2TP
Status Menu
Status > System Logs Status > Monitoring Status > Services Status > Interfaces Status > Gateways
Diagnostics Menu
Diagnostics > Ping Diagnostics > Traceroute Diagnostics > DNS Lookup Diagnostics > Packet Capture ```_
Firewall Regeln Konfiguration
Grundregelstruktur
```bash
Rule Components
Action: Pass/Block/Reject Interface: WAN/LAN/OPT Direction: In/Out Protocol: TCP/UDP/ICMP/Any Source: IP/Network/Alias Destination: IP/Network/Alias Port: Specific/Range/Any
Default Rules
LAN to Any: Pass (allow LAN internet access) WAN to Any: Block (block inbound connections) Anti-lockout: Pass (prevent GUI lockout) ```_
Erstellung von Firewall-Regeln
```bash
Navigate to Firewall > Rules
Select interface (WAN/LAN/OPT)
Click "Add" button (up arrow for top, down for bottom)
Rule Configuration
Action: Pass/Block/Reject Disabled: Checkbox to disable rule Interface: Auto-selected based on current interface Address Family: IPv4/IPv6/IPv4+IPv6 Protocol: TCP/UDP/ICMP/Any
Source Configuration
Source Type: Single host/Network/Any Source Address: IP or network range Source Port Range: From/To ports
Destination Configuration
Destination Type: Single host/Network/Any Destination Address: IP or network range Destination Port Range: From/To ports
Extra Options
Log: Enable logging for this rule Description: Rule description Advanced Options: Additional settings ```_
Gemeinsame Regelbeispiele
```bash
Allow HTTP/HTTPS from LAN to Internet
Action: Pass Interface: LAN Protocol: TCP Source: LAN net Destination: Any Destination Port: 80,443
Block P2P Traffic
Action: Block Interface: LAN Protocol: TCP/UDP Source: LAN net Destination: Any Destination Port: 1024-65535 Description: Block P2P traffic
Allow SSH from Specific IP
Action: Pass Interface: WAN Protocol: TCP Source: 203.0.113.10 Destination: WAN address Destination Port: 22
Block Social Media
Action: Block Interface: LAN Protocol: TCP Source: LAN net Destination: SocialMedia_Alias Destination Port: 80,443 ```_
Network Address Translation (NAT)
Port Forwarding
```bash
Navigate to Firewall > NAT > Port Forward
Click "Add" to create new rule
Port Forward Configuration
Interface: WAN (typically) Protocol: TCP/UDP/TCP+UDP Source: Any (or specific IP) Source Port Range: Any (typically) Destination: WAN address Destination Port Range: External port Redirect Target IP: Internal server IP Redirect Target Port: Internal port Description: Rule description
Example: Web Server Port Forward
Interface: WAN Protocol: TCP Destination Port: 80 Redirect Target IP: 192.168.1.100 Redirect Target Port: 80 Description: Web server port forward ```_
NAT
```bash
Navigate to Firewall > NAT > 1:1
Used for static NAT mapping
1:1 NAT Configuration
Interface: WAN External Subnet IP: Public IP Internal IP: Private IP Destination: Any Description: Static NAT mapping
Example: DMZ Server
External Subnet IP: 203.0.113.10 Internal IP: 192.168.1.100 ```_
NAT
```bash
Navigate to Firewall > NAT > Outbound
Modes: Automatic/Hybrid/Manual
Manual Outbound NAT Rule
Interface: WAN Protocol: Any Source Type: Network Source: 192.168.1.0/24 Source Port: Any Destination Type: Any Destination Port: Any Translation Address: Interface address Translation Port: Any Static Port: Unchecked (typically) ```_
DHCP Serverkonfiguration
Basis DHCP Setup
```bash
Navigate to Services > DHCP Server
Select interface (LAN/OPT)
General Options
Enable: Check to enable DHCP Deny unknown clients: Uncheck for normal operation Subnet: Auto-filled from interface Subnet Mask: Auto-filled from interface Available Range: Shows available IP range
Range Configuration
Range From: Start of DHCP pool Range To: End of DHCP pool WINS Servers: Windows name servers DNS Servers: Custom DNS servers (optional)
Example Configuration
Range From: 192.168.1.100 Range To: 192.168.1.200 DNS Servers: 8.8.8.8, 8.8.4.4 ```_
DHCP Reservierungen
```bash
Static DHCP Mappings
Navigate to Services > DHCP Server
Scroll to "DHCP Static Mappings for this Interface"
Static Mapping Configuration
MAC Address: Client MAC address Client Identifier: Alternative to MAC IP Address: Reserved IP address Hostname: Client hostname Description: Mapping description
Example: Server Reservation
MAC Address: 00:11:22:33:44:55 IP Address: 192.168.1.50 Hostname: fileserver Description: File server static IP ```_
Erweiterte DHCP-Optionen
```bash
Additional DHCP Options
Default Lease Time: 7200 seconds Maximum Lease Time: 86400 seconds Failover Peer IP: For DHCP failover Static ARP: Create static ARP entries Enable Network Booting: For PXE boot Next Server: TFTP server for PXE Default BIOS File Name: PXE boot file
Custom DHCP Options
Number: DHCP option number Type: Text/String/Boolean/Unsigned Integer Value: Option value ```_
VPN Konfiguration
OpenVPN Server Setup
```bash
Navigate to VPN > OpenVPN > Servers
Click "Add" to create new server
General Information
Server Mode: Remote Access (SSL/TLS) Protocol: UDP (recommended) Interface: WAN Local Port: 1194 (default) Description: OpenVPN Server
Cryptographic Settings
TLS Configuration: Use a TLS Key Peer Certificate Authority: Select CA Server Certificate: Select server cert DH Parameter Length: 2048 bit Encryption Algorithm: AES-256-CBC Auth Digest Algorithm: SHA256
Tunnel Settings
IPv4 Tunnel Network: 10.0.8.0/24 IPv4 Local Network: 192.168.1.0/24 Concurrent Connections: 10 Compression: Adaptive LZO Compression
Client Settings
Dynamic IP: Allow connected clients to retain their connections Address Pool: Use a pool of addresses DNS Default Domain: Local domain DNS Servers: 192.168.1.1 ```_
OpenVPN Client Konfiguration
```bash
Navigate to VPN > OpenVPN > Clients
Click "Add" to create new client
General Information
Server Mode: Peer to Peer (SSL/TLS) Protocol: UDP Interface: WAN Server Host or Address: Remote server IP/hostname Server Port: 1194 Description: OpenVPN Client
User Authentication
Username/Password: If required Authentication Only: For additional security
Cryptographic Settings
Peer Certificate Authority: Remote CA Client Certificate: Client certificate Encryption Algorithm: Match server settings Auth Digest Algorithm: Match server settings
Advanced Configuration
Custom Options: Additional OpenVPN directives ```_
IPsec VPN Setup
```bash
Navigate to VPN > IPsec > Tunnels
Click "Add P1" to create Phase 1
Phase 1 (IKE) Configuration
General Information: Remote Gateway: Peer IP address Description: Tunnel description
Proposal (Authentication): Authentication Method: Mutual PSK Negotiation Mode: Main My Identifier: My IP address Peer Identifier: Peer IP address Pre-Shared Key: Shared secret
Proposal (Algorithms): Encryption Algorithm: AES 256 Hash Algorithm: SHA256 DH Group: 14 (2048 bit) Lifetime: 28800 seconds
Phase 2 (IPsec) Configuration
General Information: Mode: Tunnel IPv4 Local Network: 192.168.1.0/24 Remote Network: 192.168.2.0/24
Proposal (SA/Key Exchange): Protocol: ESP Encryption Algorithms: AES 256 Hash Algorithms: SHA256 PFS Key Group: 14 (2048 bit) Lifetime: 3600 seconds ```_
WireGuard VPN
```bash
Navigate to VPN > WireGuard > Settings
Enable WireGuard and apply changes
Create WireGuard Tunnel
Navigate to VPN > WireGuard > Tunnels Click "Add Tunnel"
Tunnel Configuration
Enabled: Check Description: WireGuard Server Listen Port: 51820 Interface Keys: Generate new keys Interface Addresses: 10.0.9.1/24
Add Peers
Click "Add Peer" Enabled: Check Description: Client 1 Public Key: Client public key Allowed IPs: 10.0.9.2/32 Endpoint: Leave empty for server Persistent Keepalive: 25 seconds ```_
Traffic Shaping und QoS
Verkehrsformer Konfiguration
```bash
Navigate to Firewall > Traffic Shaper
Select interface and bandwidth
Bandwidth Settings
Interface: WAN/LAN Scheduler Type: HFSC (recommended) Bandwidth: Available bandwidth Burst: Burst allowance
Create Queues
Root Queue: Total bandwidth Child Queues: Service categories - High Priority: VoIP, Gaming - Medium Priority: Web browsing - Low Priority: File transfers
Queue Configuration
Queue Name: Descriptive name Priority: 1-7 (7 highest) Bandwidth: Allocated bandwidth Burst: Burst allowance Description: Queue description ```_
Limiter Konfiguration
```bash
Navigate to Firewall > Traffic Shaper > Limiters
Click "New Limiter"
Limiter Settings
Enable: Check Name: Limiter name Bandwidth: Speed limit Mask: none/Src/Dst Description: Limiter description
Apply to Firewall Rules
Navigate to Firewall > Rules Edit existing rule or create new Advanced Features > In/Out pipe Select appropriate limiter
Example: Bandwidth Limiting
Name: Download_Limit Bandwidth: 10 Mbps Mask: Destination addresses Apply to: LAN rules for internet access ```_
Überwachung und Protokollierung
Systemprotokolle
```bash
Navigate to Status > System Logs
Log Categories
System: General system events Firewall: Firewall rule matches DHCP: DHCP server events Portal: Captive portal events VPN: VPN connection events Wireless: Wireless events Resolver: DNS resolver events
Log Settings
Navigate to Status > System Logs > Settings Log File Size: Maximum log size Log Entries: Number of entries to display Reverse Display: Newest entries first GUI Log Entries: Web interface log size
Remote Logging
Remote Log Servers: Syslog server IPs Remote Syslog Contents: What to send ```_
Verkehrsüberwachung
```bash
Navigate to Status > Monitoring
Traffic Graphs
Interface Traffic: Real-time graphs Quality: Packet loss and latency Queues: Traffic shaper queue usage QualityRRD: Historical quality data System: CPU and memory usage
Bandwidth Monitor
Navigate to Diagnostics > pfTop Real-time bandwidth usage by IP Sort by various criteria Filter by interface or protocol
Status > Traffic Graph
Real-time interface statistics Configurable time periods Multiple interfaces simultaneously ```_
Packing Capture
```bash
Navigate to Diagnostics > Packet Capture
Capture Settings
Interface: Select interface to monitor Host Address: Specific IP to capture Port: Specific port to capture Protocol: TCP/UDP/ICMP/Any Packet Length: Bytes to capture Count: Number of packets Detail Level: Normal/Medium/High/Full
Capture Filters
host 192.168.1.100: Specific host port 80: Specific port tcp and port 443: TCP on port 443 not port 22: Exclude SSH traffic
Download and Analysis
Download captured packets Analyze with Wireshark Save for later analysis ```_
Hohe Verfügbarkeit und Clustering
KARTE Konfiguration
```bash
Navigate to System > High Avail Sync
CARP Settings
Synchronize States: Check Synchronize Interface: LAN Synchronize Config to IP: Secondary firewall IP Remote System Username: admin Remote System Password: Password Synchronize Users and Groups: Check Synchronize Certificates: Check
CARP Virtual IPs
Navigate to Firewall > Virtual IPs Type: CARP Interface: Shared interface Address: Virtual IP address Subnet Mask: Network mask VHID Group: 1-255 (unique per segment) Advertising Frequency: Base/Skew Password: CARP password Description: CARP VIP description ```_
Staatssynchronisation
```bash
pfsync Configuration
Navigate to System > High Avail Sync Synchronize States: Enable pfsync Interface: Dedicated sync interface pfsync Peer IP: Other firewall's sync IP
Automatic Failover
Primary firewall: CARP priority 0 Secondary firewall: CARP priority 100 Lower number = higher priority Automatic promotion on failure ```_
Paketmanagement
Installation von Paketen
```bash
Navigate to System > Package Manager
Available Packages tab
Popular Packages
pfBlockerNG: IP and DNS blocking Suricata: Intrusion Detection System ntopng: Network Traffic Monitor FreeRADIUS: RADIUS server Squid: Proxy server HAProxy: Load balancer OpenVPN Client Export: VPN client configs Zabbix Agent: Monitoring agent
Package Installation
Search for package Click "Install" button Confirm installation Configure package settings ```_
Paketkonfiguration
```bash
pfBlockerNG Configuration
Navigate to Firewall > pfBlockerNG Enable pfBlockerNG Configure IP blocking lists Configure DNS blocking lists Set update frequency Apply changes
Suricata Configuration
Navigate to Services > Suricata Enable Suricata on interfaces Download rule sets Configure rule categories Set logging options Start Suricata service
Squid Proxy Configuration
Navigate to Services > Squid Proxy Server Enable Squid proxy Set proxy port (3128) Configure access control Set cache settings Configure authentication ```_
Kommandozeilenschnittstelle
Zugriff auf die Konsole
```bash
Physical console access
Connect serial cable 115200 baud, 8N1 Terminal emulator (PuTTY, screen)
SSH Access
ssh admin@192.168.1.1 Enter password Access to FreeBSD shell
Common Commands
pfctl -s rules: Show firewall rules pfctl -s states: Show connection states pfctl -s info: Show pfctl statistics ifconfig: Show interface configuration netstat -rn: Show routing table top: Show system processes ```_
Konfigurations-Backup/Restore
```bash
Web Interface Backup
Navigate to Diagnostics > Backup & Restore Configuration area: All Backup configuration: Download XML Restore configuration: Upload XML
Command Line Backup
Backup configuration
cp /cf/conf/config.xml /tmp/config-backup.xml
Restore configuration
cp /tmp/config-backup.xml /cf/conf/config.xml /etc/rc.reload_all
Automatic Backup
Navigate to Diagnostics > Auto Config Backup Enable automatic backups Set backup frequency Configure encryption ```_
Fehlerbehebung
Gemeinsame Themen
```bash
Interface Not Working
Check cable connections Verify interface assignment Check IP configuration Review firewall rules Test with packet capture
VPN Connection Issues
Verify certificates Check firewall rules Review VPN logs Test connectivity Verify routing
Performance Issues
Check CPU usage Monitor memory usage Review traffic graphs Check for bottlenecks Optimize rules
DNS Resolution Problems
Check DNS settings Verify forwarders Test DNS lookup Review resolver logs Check firewall rules ```_
Diagnosewerkzeuge
```bash
Built-in Diagnostics
Ping: Test connectivity Traceroute: Trace network path DNS Lookup: Test DNS resolution ARP Table: View ARP entries NDP Table: View IPv6 neighbors Routes: View routing table Sockets: Show network sockets States: Show firewall states
Log Analysis
System logs: General issues Firewall logs: Rule matches DHCP logs: IP assignments VPN logs: Connection issues Gateway logs: WAN problems
Performance Monitoring
Status > Monitoring: Traffic graphs Status > RRD Graphs: Historical data Diagnostics > pfInfo: System info Diagnostics > pfTop: Real-time stats ```_
Sicherheit Best Practices
Harding pfSense
```bash
System Hardening
Change default passwords Disable unused services Enable secure protocols only Configure proper time sync Regular security updates
Access Control
Limit admin access Use strong passwords Enable two-factor authentication Restrict SSH access Monitor login attempts
Network Security
Block unnecessary ports Use VLANs for segmentation Implement proper NAT rules Configure intrusion detection Regular rule review
Monitoring
Enable comprehensive logging Set up log monitoring Configure alerting Regular security audits Backup configurations ```_
Firewall Rule Best Practices
```bash
Rule Organization
Order rules by specificity Most specific rules first Default deny at bottom Group related rules Use descriptive names
Security Principles
Principle of least privilege Explicit deny rules Log security events Regular rule review Document rule purposes
Performance Optimization
Minimize rule count Use aliases for efficiency Avoid overlapping rules Optimize rule order Monitor rule statistics ```_
Ressourcen
- pfSense Offizielle Dokumentation
- [pfSense Book](LINK_5__ -%20[Netgate%20Community](LINK_5 -%20(pfSense%20Hangout) (LINK_5)
- (LINK_5)