This article will guide through selecting an appropriate version ofpfSense® software, the initial pfSense installation, and related tasks.
PFSense doesn’t need much space, but it should be allocated a 2:1 for swap (e.g. 4096 MB swap file for 2048 MB of RAM), plus some extra space for packages and logs may be useful. Step 8 – Edit before completion. Step 9 – Final settings. As this is my firewall, I want to make sure it is plenty fast.
Tip
If you purchased an official Netgate appliance, check the reinstallguide in the appropriate Security Gateway Manual.
Choose Installation Type¶
To install pfSense, first a few decisions are necessary to pick whichtype of installation will be performed.
Hardware considerations¶
When selecting hardware for a new build, carefully consider current andfuture hardware requirements. These include:
- 64-bit Intel or AMD CPU (x86-64, amd64) on pfSense 2.4 and later
- Must be able to boot from USB or optical drive and run the installeron pfSense 2.4 and later
64-bit or 32-bit¶
Starting from version 2.4, pfSense supports 64-bit (amd64) exclusivelywhile 32-bit (i386) support remains with pfSense 2.3, which will receivesecurity updates for at least a year after pfSense 2.4.0-RELEASE.
The amd64 platform works on current x86-64 hardware from Intel, AMD,etc. If the hardware is capable of using a 64-bit operating system, thenrun the amd64 version.
Installer ISO, Memstick or Memstick Serial?¶
If a Full Install is to be performed, there are three types of installmedia that can be used to accomplish the task:
- Optical disc image (ISO image, CD/DVD disc): Easy and familiar tomany, if the target hardware has an optical drive it’s a solidchoice, especially if the BIOS will not boot from USB.
- Memstick: Like the CD/DVD, but run from a USB thumb drive. Oftenfaster than the CD/DVD. Many new devices do not have integratedoptical drives, making this the current best recommendation.
- Serial Memstick: Like the Memstick image, but runs using the serialconsole rather than VGA, for newer embedded systems.
NanoBSD or NanoBSD+VGA¶
IMPORTANT: NanoBSD is deprecated with the pfSense 2.4-RELEASE!
NanoBSD uses the Serial Console by default, so there are two sets ofNanoBSD images:
- NanoBSD: Embedded install type using the serial console by default
- NanoBSD+VGA: Like NanoBSD, but uses the VGA console instead.
Virtual Machines¶
Virtual Machines, with hypervisors such as VMware vSphere, Hyper-V, KVM,Proxmox or Xen, should be installed using the ISO image. They can beused to firewall completely inside a hypervisor host for other virtualmachines, or for edge filtering/routing tasks.
See Also:
Download pfSense¶
- Visit https://www.pfsense.org/download
- Pick the chosen Version, Architecture, and Installer type
- Download the SHA256 checksum file to verify the image later
- Pick a mirror and click the link on its row to download the imagefrom there
- Wait for the download to complete
Prepare Installation Media¶
The downloaded image must be written to target media before it can beused. For a Full Install, this media is used to boot and install andthen will not be needed again. For Embedded, the target media is thedisk (CF/SD) that will contain the Operating System.
- Write the installer ISO: If the .iso file was downloaded, it mustbe burned to a disc as an ISO image. See Writing ISO Images for assistance.
- Writing Memstick or NanoBSD images: This task is covered with greatdetail in Writing Disk Images.
Connect to Serial Console¶
Before attempting to install or boot, if a serial-based image was used,such as Memstick-Serial, connect to the serial console with aappropriate serial cable and terminal options. See Connecting to theSerial Console for specifics.
Performing a Full Install (ISO, Memstick)¶
Power on the target system and connect the install media: Place the CDinto the drive or plug the Memstick into a USB port. If the BIOS is setto boot from CD/USB, pfSense will start.
For other boot issues, Installation Troubleshooting.
As the operating system boots and pfSense starts, a wizard will startand prompt to accept the copyright and distribution notice.
To start the installation select OK while Install option isselected.
Next step is to select filesystem. By default UFS is selected. ZFSsupport is currently experimental. Select OK to continue. Thisoption automatically configures the hard drive.
The following step allows Keymap Selection. Standard US isdefault. Continue to the next step with Select.
The install will proceed, wiping the target disk and installing pfSense.Copying files may take some time to finish.
It usually takes no longer than a couple of minutes.
After installation completion manual configuration options are offered,select No to continue.
Now the system must reboot so that pfSense may start from the targetdisk. Select Reboot and then press Enter. Be sure to remove thedisc or USB memstick so that the system will not attempt to boot fromthere next time.
After the system reboots, pfSense will be running from the target disk.The next step is to Assign Interfaces on the Console below.
Assign Interfaces on the Console¶
The default configuration file on pfSense 2.3 has em0 assigned as WAN,and em1 assigned as LAN. If the target hardware has em0 and em1,then the assignment prompt is skipped and the install will proceed asusual. Several other common platforms such as our SG systems, APU, andALIX are also recognized and will have their interfaces assigned in theexpected order.
If the hardware platform cannot be identified, a list of networkinterfaces and their MAC addresses that were located on the system willappear, along with an indication of their link state if that issupported by the network card. The link state is denoted by “(up)”appearing after the MAC address if a link is detected on that interface.The MAC (Media Access Control) address of a network card is a uniqueidentifier assigned to each card, and no two network cards should havethe same MAC address. After that, a prompt will be shown for VLANconfiguration.
VLANS¶
The option to assign VLANs is presented first. If VLANs are notrequired, or they are not known, enter No here. VLANs are optional andare only needed for advanced networking. VLAN-capable equipment is alsorequired if they are to be used. See VLAN Trunkingfor details.
LAN, WAN, OPTx¶
The first interface prompt is for the WAN interface. If theinterface is known, enter its name, such as igb0 or em0 and pressEnter. If the identity of the card is not known, see the nextsection for the Auto Assign Procedure.
The second interface prompt is for the LAN interface. Enter theappropriate interface, such as igb1 or em1, and press Enteragain. If only the WAN interface is to be used, and no LAN, pressEnter without giving any other input.
Only one interface (WAN) is required to setup pfSense. If moreinterfaces are available they may be assigned as LAN and OPTxinterfaces. The procedure is the same for additional interfaces: Enterthe appropriate interface name, then press Enter.
When there are no more interfaces to add, press Enter. The list ofassigned interfaces is displayed. If the mappings are correct, entery, otherwise enter n and repeat the assignment.
NOTE: If only one NIC is assigned (WAN), This is called ApplianceMode. In this mode, pfSense will move the GUI anti-lockout rule tothe WAN interface so the firewall may be accessed from there. Theusual routing functions would not be active since there is no“internal” interface. This type of configuration is useful for VPNappliances, DNS servers, etc.
Auto Assign Procedure¶
For automatic interface assignment, first unplug all network cables fromthe system, then type a and press Enter. Now plug a network cableinto the interface that should connect to the WAN, and press Enter.If all went well, pfSense should know now which interface to use for theWAN. The same process may be repeated for the LAN, and any optionalinterfaces that will be needed. If a message is displayed such as Nolink-up detected, see Installation Troubleshooting for more informationon sorting out network card identities.
pfSense Default Configuration¶
After installation and interface assignment, pfSense has the followingdefault configuration:
- WAN is configured as an IPv4 DHCP client
- WAN is configured as an IPv6 DHCP client and will request a prefixdelegation
- LAN is configured with a static IPv4 address of 192.168.1.1/24
- LAN is configured to use a delegated IPv6 address/prefix obtained byWAN (Track IPv6) if one is available
- All incoming connections to WAN are blocked
- All outgoing connections from LAN are allowed
- NAT is performed on IPv4 traffic leaving WAN from the LAN subnet
- The firewall will act as an IPv4 DHCP Server
- The firewall will act as an IPv6 DHCPv6 Server ifa prefix delegation was obtained on WAN, and also enables SLAAC
- The DNS Resolver is enabled so thefirewall can accept and respond to DNS queries
- SSH is disabled.
- WebGUI is running on port 443 using HTTPS
- Default credentials are set to a username of admin with passwordpfsense
Post-Install Tasks¶
After installation and assignment, a shell menu is presented on theconsole with a number of options. pfSense now is ready to be accessedvia the network, either on the LAN interface (if one is assigned), or onthe WAN interface in a single interface deployment.
![How To Install Pfsense Packages Offline Maps How To Install Pfsense Packages Offline Maps](http://www.unixmen.com/wp-content/uploads/2016/01/nginx-port.png)
Connect to the GUI¶
The WebGUI is used to configure the vast majority of items in pfSense.It may be accessed by any modern browser, though Firefox and Chrome arepreferred.
Connect a client PC to the LAN of the firewall and ensure it obtained anIP address. If it did not, it may be plugged into the wrong port.
Open a web browser and navigate to https://192.168.1.1/, using thedefault username admin and password pfsense to login.
The first visit to the WebGUI will be redirected to the setup wizard,which is also accessible at System > Setup Wizard. Proceed throughthe wizard and configure things as desired.
Installation Troubleshooting¶
If the installation did not proceed as planned, see InstallationTroubleshooting for help.
Additional Information¶
For additional information on Installing pfSense, see the Installing and Upgradingsection. The pfSense Book and pfSense Hangouts on Youtube also cover a variety of relevanttopics.