Book Image

Mastering pfSense - Second Edition

By : David Zientara
Book Image

Mastering pfSense - Second Edition

By: David Zientara

Overview of this book

pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market – but, like the very best open-source software, it doesn’t limit you. You’re in control – you can exploit and customize pfSense around your security needs. Mastering pfSense - Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI. The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.
Table of Contents (15 chapters)

The best practices for installation and configuration

Once you have chosen your hardware and which version you are going to install, you can download pfSense.

  1. Browse to the Downloads section of and select the appropriate computer architecture (32-bit, 64-bit, or Netgate ADI), the appropriate platform (Live CD, memstick, or embedded), and you should be presented with a list of mirrors. Choose the closest one for the best performance.

You will also want to download the SHA256 checksum file in order to verify the integrity of the downloaded image. Verifying the integrity of downloads serves two purposes:

  • It ensures that the download completed
  • It safeguards against a party maliciously tampering with the images

In order to safeguard against the latter, however, be sure to download the checksum from a different mirror site than the site from which you downloaded the image. This provides an additional measure of security should an individual mirror site be compromised.

Windows has several utilities for displaying SHA256 hashes for a file. Under BSD and Linux, generating the SHA256 hash is as easy as typing the following command:

shasum -a 256 pfSense-LiveCD-2.4.2-RELEASE-amd64.iso.gz

This command generates the MD5 checksum for the 64-bit Live CD version for pfSense 2.4.2. You should compare the resulting hash with the contents of the .sha256 file downloaded from one of the (other) mirrors.

The initial pfSense boot menu when booting from a CD or USB drive
    • If the system hangs during the boot process, there are several options you can try. The first menu that appears, as pfSense boots, has several options. The last two options are Kernel and Configure Boot Options. Kernel allows you to select which kernel to boot from among the available kernels.

If you have a reason to suspect that the FreeBSD kernel being used is not compatible with your hardware, you might want to switch to the older version. Configure Boot Options launches a menu (shown in the preceding screenshot) with several useful options. A description of these options can be found at: Toggling [A]CPI Support to off can help in some cases, as ACPI's hardware discovery and configuration capabilities may cause the pfSense boot process to hang. If turning this off doesn't work, you could try booting in Safe [M]ode, and if all else fails, you can toggle [V]erbose mode to On, which will give you detailed messages while booting.

    • While booting, pfSense provides information about your hardware, including expansion buses supported, network interfaces found, and USB support. When this is finished, the graphical installer will launch and you will see the copyright and distribution notice.
  1. Select Accept and press Enter to accept these terms and conditions and continue with the installation.
  2. The installer then provides you with three options: Install pfSense, Rescue Shell, and Recover config.xml. The Rescue Shell option launches a BSD shell prompt from which you can perform functions that might prove helpful in repairing a non-functional pfSense system.

For example, you can copy, delete and edit files from the shell prompt. If you suspect that a recent configuration change is what caused pfSense to break, however, and you saved the configuration file before making the change, the easiest way to fix your system may be to invoke Recover config.xml and restore pfSense from the previously-saved config.xml file.

    • The next screen provides keymap options. Version 2.4.2 supports 99 different keyboard layouts, including both QWERTY and Dvorak layouts. Highlighting a keymap option and pressing Enter selects that option. There's also an option to test the default keymap, and an option to continue with the default keymap.
  1. Select Accept and press Enter when you have selected a keymap.
  2. Next, the installer provides the following disk partitioning options: Auto (UFS), Manual, Shell, and Auto (ZFS). The first and last options allow you to format the disk with the Unix File System (UFS) and Oracle's ZFS respectively.
    • There are advantages and disadvantages to each filesystem, but the following table should help in your decision. Note that both filesystems support file ownership, and file creation/last access timestamps.




Original release

August 1983 (with BSD 4.2)

November 2005 (with OpenSolaris)

Maximum volume size

273 bytes (8 zebibytes)

2128 bytes (256 trillion yobibytes)

Maximum file size

273 bytes (8 zebibytes)

264 bytes (16 exbibytes)

Maximum filename length

255 bytes

255 bytes

Case sensitive



Support for filesystem-level encryption



Data deduplication



Data checksums



    • In general, UFS is the tried-and-true filesystem, while ZFS was created with security in mind and incorporates many newer features such as filesystem-level encryption and data checksums.
pfSense does not support converting the filesystem to ZFS after installation; ZFS formatting must be done before installation.
    • Manual, as the name implies, allows you to manually create, delete and modify partitions. There are several choices for partition types; you can even create an Apple Partition Map (APM) or a DOS partition, if that suits you. The Shell option drops you to a BSD shell prompt from which you can also manually create, delete and modify partitions, using shell commands.
  1. If you chose ZFS, the next screen will present a series of options that allow you to further configure your ZFS volume.
    • Pool Type/Disks allows you to select the type of redundancy. The default option is stripe, which provides no redundancy at all. The mirror option provides for duplicate volumes, in which the array continues to operate as long as one drive is functioning. The raid10 option combines mirroring and striping (it is an array of mirrored drives). It requires at least four drives; the array continues to operate if one drive fails; up to half the drives in the RAID can fail so long as they aren't all from the same subset.
    • The next three options, raidz1, raidz2, and raidz3, are non-standard RAID options. Like RAID levels 5 though, they achieve redundancy through a parity stripe, although the parity stripe in Z1, Z2 and Z3 are dynamically sized. RAID-Z1 requires at least three disks/volumes and allows one of them to fail without data loss; RAID-Z2 requires four disks/volumes and allows two to fail; RAID-Z3 requires five disks/volumes and allows three to fail.
The installer will not let you proceed unless your RAID set has the minimum number of volumes for the configuration you selected.
  1. If your ZFS RAID is configured correctly, the installer will next present you with a series of ZFS-specific options. You can change the Pool Name (the default is zroot), toggle Force 4K Sectors on or off depending on whether or not you want sectors to align on 4K boundaries, and toggle Encrypt Disks on or off. You can also select a partition scheme for the system.
    • The default is GUID Partition Table (GPT), but the legacy Master Boot Record (MBR) is also supported. You can set it up to boot in BIOS mode, Unified Extensible Firmware Interface (UEFI) mode, or, if your system supports it, both modes. UEFI-based systems, by specification, can only boot from GPT partitions, while some BIOS-based systems can boot from GPT partitions (and all BIOS-based systems can boot from MBR partitions). There is also support for the FreeBSD patch that fixes a bug that prevents GPT partitions from booting on some Lenovo systems (GPT + Lenovo Fix). You can also set the Swap Size, toggle Mirror Swap on or off, and toggle Encrypt Swap on or off.
    • After you have made all desired modifications you can proceed; the installer will format all selected volumes, extract the archive files and install pfSense. You will also be given an option to open a shell prompt to make any final modifications. Otherwise, you can reboot the system and run the newly installed copy of pfSense.
    • If you were unable to install pfSense on to the target media, you may have to troubleshoot your system and/or installation media. If you are attempting to install from the CD, your optical drive may be malfunctioning, or the CD may be faulty.

You may want to start with a known good bootable disc and see if the system will boot off of it. If it can, then your pfSense disk may be at fault; burning the disc again may solve the problem. If, however, your system cannot boot off the known good disc, then the optical drive itself, or the cables connecting the optical drive to the motherboard, may be at fault.

    • In some cases, however, none of the aforementioned possibilities hold true, and it is possible that the FreeBSD boot loader will not work on the target system. If so, then you could opt to install pfSense on a different system.
    • Another possibility is to install pfSense onto a hard drive on a separate system, then transfer the hard drive into the target system. In order to do this, go through the installation process on another system as you would normally until you get to the Assign Interfaces prompt. When the installer asks if you want to assign VLANS, type n. Type exit at the Assign Interfaces prompt to skip the interface assignment. Proceed through the rest of the installation; then power down the system and transfer the hard drive to the target system. Assuming that the pfSense hard drive is in the boot sequence, the system should boot pfSense and detect the system's hardware correctly. Then you should be able to assign network interfaces. The rest of the configuration can then proceed as usual.
  1. If you have not encountered any of these problems, the software should be installed on the target system, and you should get a dialog box telling you to remove the CD from the optical drive tray and press Enter. The system will now reboot, and you will be booting into your new pfSense install for the first time.