Pfsense firewall

WORKING WITH PFSENSE FIREWALL

Data flows into and out of devices through what we call ports. A firewall is what
controls what is - and more importantly is not - allowed to pass through those
ports. You can think of it like a security guard standing at the door, checking the
ID of everything that tries to enter or exit.
For most normal computers or home networks, the firewall should allow very
little, if any, inbound traffic. There is rarely any legitimate reason for other
devices to need to connect to your device, or home network, unsolicited.
A firewall is a network security device, either hardware or software-based, which
monitors all incoming and outgoing traffic and based on a defined set of security
rules accepts, rejects, or drops that specific traffic.
• Accept: allow the traffic
• Reject: block the traffic but reply with an “unreachable error”
• Drop: block the traffic with no reply

Diagram: Labelled Diagram of a firewall in General

1
Pfsense firewall

Working of Firewall
Firewall match the network traffic against the rule set defined in its table. Once
the rule is matched, associate action is applied to the network traffic. For
example, Rules are defined as any employee from Human Resources department
cannot access the data from code server and at the same time another rule is
defined like system administrator can access the data from both Human
Resource and technical department. Rules can be defined on the firewall based
on the necessity and security policies of the organization. From the perspective
of a server, network traffic can be either outgoing or incoming.
Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing
traffic, originated from the server itself, allowed to pass. Still, setting a rule on
outgoing traffic is always better to achieve more security and prevent unwanted
communication. Incoming traffic is treated differently. Most traffic which
reaches on the firewall is one of these three major Transport Layer protocols-
TCP, UDP and ICMP. All these types have a source address and destination
address. Also, TCP and UDP have port numbers. ICMP uses type code instead of
port number which identifies purpose of that packet.
Default policy: It is very difficult to explicitly cover every possible rule on the
firewall. For this reason, the firewall must always have a default policy. Default
policy only consists of action (accept, reject, or drop). Suppose no rule is defined
about SSH connection to the server on the firewall. So, it will follow the default
policy. If default policy on the firewall is set to accept, then any computer outside
of your office can establish an SSH connection to the server. Therefore, setting
default policy as drop (or reject) is always a good practice.
Types of Firewalls:
Firewalls can be categorized based on their generation.
1. Packet Filtering Firewall
Packet filtering firewall is used to control network access by monitoring outgoing
and incoming packets and allowing them to pass or stop based on source and
destination IP address, protocols, and ports. It analyses traffic at the transport
protocol layer (but mainly uses first 3 layers). Packet firewalls treat each packet
in isolation. They have no ability to tell whether a packet is part of an existing
stream of traffic. Only It can allow or deny the packets based on unique packet
headers. Packet filtering firewall maintains a filtering table that decides whether

2
Pfsense firewall

the packet will be forwarded or discarded. From the given filtering table, the
packets will be filtered according to the following rules:

• Incoming packets from network 192.168.21.0 are blocked.

• Incoming packets destined for the internal TELNET server (port 23) are
blocked.
• Incoming packets destined for host 192.168.21.3 are blocked.
• All well-known services to the network 192.168.21.0 are allowed.
2. Stateful Inspection Firewall
Stateful firewalls (performs Stateful Packet Inspection) can determine the
connection state of packet, unlike Packet filtering firewall, which makes it more
efficient. It keeps track of the state of networks connection travelling across it,
such as TCP streams. So, the filtering decisions would not only be based on
defined rules, but also on packet’s history in the state table.
3. Software Firewall
A software firewall is any firewall that is set up locally or on a cloud server. When
it comes to controlling the inflow and outflow of data packets and limiting the
number of networks that can be linked to a single device, they may be the most
advantageous. But the problem with software firewall is they are time-
consuming.
4. Hardware Firewall
They also go by the name “firewalls based on physical appliances.” It guarantees
that the malicious data is halted before it reaches the network endpoint that is
in danger.

3
Pfsense firewall

5. Application Layer Firewall

Application layer firewall can inspect and filter the packets on any OSI layer, up
to the application layer. It has the ability to block specific content, also recognize
when certain application and protocols (like HTTP, FTP) are being misused. In
other words, Application layer firewalls are hosts that run proxy servers. A proxy
firewall prevents the direct connection between either side of the firewall, each
packet must pass through the proxy.
6. Next Generation Firewalls (NGFW)
NGFW consists of Deep Packet Inspection, Application
Inspection, SSL/SSH inspection and many functionalities to protect the network
from these modern threats.
7. Proxy Service Firewall
This kind of firewall filters communications at the application layer, and protects
the network. A proxy firewall acts as a gateway between two networks for a
particular application.
8. Circuit Level Gateway Firewall
This works as the Sessions layer of the OSI Model’s . This allows for the
simultaneous setup of two Transmission control protocol(TCP) connections. It
can effortlessly allow data packets to flow without using quite a lot of computing
power. These firewalls are ineffective because they do not inspect data packets;
if malware is found in a data packet, they will permit it to pass if TCP connections
are established properly.
Functions of Firewall
• Every piece of data that enters or leaves a computer network must go via
the firewall.
• If the data packets are safely routed via the firewall, all the important data
remains intact.
• A firewall logs each data packet that passes through it, enabling the user
to keep track of all network activities.
• Since the data is stored safely inside the data packets, it cannot be altered.
• Every attempt for access to our operating system is examined by our
firewall, which also blocks traffic from unidentified or undesired sources.

4
Pfsense firewall

Configuring Pfsense firewall

Installing VMware Workstation Pro or Player on Windows:
1. Download VMware Workstation:
o Go to the VMware Workstation download page or VMware
Workstation Player page.
o Choose the version you want to download: Pro (paid) or Player (free
for personal use).
o Download the Windows version installer (a .exe file).
2. Run the Installer:
o Locate the downloaded .exe file (usually in your Downloads folder).
o Double-click the installer file to start the installation.
3. Begin the Installation Process:
o Click Next on the welcome screen.
o Read and accept the End-User License Agreement (EULA), then click
Next.
4. Choose Installation Options:
o Choose whether to enable Enhanced Keyboard Driver (for better input
capabilities). It is recommended to enable this for better compatibility.
5. Choose the Installation Directory:
o Select the location where you want to install VMware Workstation (or
use the default path).
o Click Next.
6. Create Shortcuts (Optional):
o Choose if you want shortcuts on your Desktop or in the Start Menu.
7. Install VMware:
o Click Install to start the installation process. It may take a few minutes.
o Once the installation is complete, click Finish.
8. Enter License Key (Optional for Pro):

5
Pfsense firewall

o If you installed VMware Workstation Pro, you may be prompted to

enter your license key to activate it.
o If you are using VMware Player, you can use the free version without a
license key.
9. Restart (if prompted):
o Restart your computer if prompted to ensure that the installation is
fully applied.
10.Launch VMware:
o Open VMware Workstation or Player from the Start Menu or Desktop
shortcut.
o You can now create and run virtual machines.

6
Pfsense firewall

Steps to install pfsense ISO:

Step 1: Download the pfSense ISO
1. Visit the pfSense Download Page:
o Go to the official pfSense download page.
o Or visit ISO FILES
2. Select the Installer Options:
o Choose the appropriate version (usually the latest stable release).
o Architecture: Select AMD64 (64-bit).
o Installer Type: Choose DVD Image (ISO).
o Mirror: Select a download mirror close to your location for faster
downloads.
3. Download the ISO File:
o Click Download to start downloading the ISO file. Save it to a
location you can easily access (e.g., your Downloads folder).

Step 2: Create a New Virtual Machine in VMware Workstation

1. Open VMware Workstation:
o Launch VMware Workstation Pro or Player.
2. Create a New Virtual Machine:
o Click File > New Virtual Machine or select Create a New Virtual
Machine from the home screen.
3. Choose the Installation Method:
o Select Installer disc image file (ISO).
o Browse and select the pfSense ISO you downloaded earlier.
o Click Next.

7
Pfsense firewall

4. Select Guest Operating System:

o Choose Other as the Guest Operating System.
o Select FreeBSD 12 or later version (pfSense is based on FreeBSD).
o Click Next.
5. Name the Virtual Machine:
o Give your virtual machine a name (e.g., pfSense) and choose a
location to save it.
o Click Next.
6. Set Disk Size:
o Set the maximum disk size (e.g., 10 GB is usually sufficient for
pfSense).
o Choose Store virtual disk as a single file.
o Click Next.
7. Customize Hardware (Optional but Recommended):
o Click Customize Hardware:
▪ Memory: Allocate 1 GB of RAM (or more if you have the
resources).
▪ Network Adapters:
▪ Adapter 1: Set to Bridged (this will act as the WAN
interface).
▪ Add Adapter 2: Set this to NAT or Host-only (this will
act as the LAN interface).
▪ Processors: Allocate at least 1 processor with 2 cores.
8. Finish Creating the Virtual Machine:
o Click Close in the hardware settings window.
o Click Finish to create the virtual machine.

8
Pfsense firewall

Step 3: Install pfSense on the Virtual Machine

1. Power On the Virtual Machine:
o Select the pfSense VM in VMware Workstation and click Power on
this virtual machine.
2. Boot from the pfSense ISO:
o The VM will boot from the ISO and display the pfSense installation
menu.
o Select Install and press Enter.
3. Choose Keymap:
o Select the default U.S. Keymap or choose another if needed, then
press Enter.
4. Select Installation Mode:
o Choose Auto (UFS) for a simple installation. This will automatically
configure the disk partitions using the UFS file system.
o Alternatively, choose ZFS if you want more advanced file system
features like snapshots.
5. Confirm the Disk to Install pfSense:
o Select the virtual disk where pfSense will be installed (this should
be the only disk available).
o Confirm to proceed with the installation.
6. Wait for the Installation to Complete:
o The installation will take a few minutes. Once completed, it will
prompt you to reboot the system.
o Remove the ISO from the virtual CD/DVD drive before rebooting, so
it does not boot into the installer again.

9
Pfsense firewall

7. Reboot the Virtual Machine:

o Allow the VM to reboot into the pfSense installation.

Step 4: Configure pfSense Initial Setup

1. Assign Network Interfaces:
o After the reboot, pfSense will ask you to assign network interfaces:
▪ The WAN (wide area network) interface should be assigned to
the first network adapter.
▪ The LAN (local area network) interface should be assigned to the
second network adapter.
o Type the interface names as vmx0 (for WAN) and vmx1 (for LAN) when
prompted, depending on how VMware detects them.
o Press Enter after each input.
2. Initial Configuration of pfSense:
o After assigning interfaces, pfSense will display an IP address for the LAN
(e.g., 192.168.1.1- You can check yours).
o Use this IP address to access the pfSense web configurator.
3. Access pfSense Web GUI:
o Open a web browser on your host machine (or any machine connected
to the same network).
o Go to https://192.168.1.1 (replace with your pfSense LAN IP if
different).
o Ignore the security certificate warning and proceed to the website.
4. Login to pfSense:
o Default username: admin
o Default password: pfsense(Can be Changed Later once the web
interface of pfsense is configured).

10
Pfsense firewall

o After logging in, follow the setup wizard to complete the initial
configuration, including setting up the WAN/LAN settings, password
change, and DNS settings.

Step 5: Finalize and Test pfSense Configuration

1. Update pfSense (Optional but Recommended):
o Go to System > Update in the web configurator and install any
available updates.
2. Set Up Basic Firewall Rules:
o Configure basic firewall rules to allow or block traffic as per your
needs.
3. Test Connectivity:
o Check if the WAN connection is working and that the LAN clients
can access the internet through pfSense.
o Use a client machine connected to the LAN network to test.

11
Pfsense firewall

Configuring Setup Wizard:

Setup Wizard
The first time a user logs into the pfSense® software GUI, the firewall presents
the Setup Wizard automatically. The first page of the wizard is shown in
Figure Setup Wizard Starting Screen.
Click >> Next to proceed.

Setup Wizard Starting Screen

The next screen of the wizard explains the availability of support from Netgate.
Click >>Next again to start the configuration process using the wizard.
General Information Screen
The next screen (Figure General Information Screen) configures the name of this
firewall, the domain in which it resides, and the DNS servers for the firewall.
Hostname:
The Hostname is a name that should uniquely identify this firewall. It can be
nearly anything, but must start with a letter and it may contain only letters,
numbers, or a hyphen.
Domain:
Enter a Domain, e.g. example.com. If this network does not have a domain,
use <something>.home.arpa, where <something> is another identifier: a
company name, last name, nickname, etc. For example, company.home.arpa the
hostname and domain name are combined to make up the fully qualified domain
name of this firewall.

12
Pfsense firewall

Primary/Secondary DNS Server:

The IP address of the Primary DNS Server and Secondary DNS Server, if known.
These DNS servers may be left blank if the DNS Resolver will remain active using
its default settings. The default configuration has the DNS Resolver active in
resolver mode (not forwarding mode), when set this way, the DNS Resolver does
not need forwarding DNS servers as it will communicate directly with Root DNS
servers and other authoritative DNS servers. To force the firewall to use these
configured DNS servers, enable forwarding mode in the DNS Resolver or use the
DNS Forwarder.
If this firewall has a dynamic WAN type such as DHCP, PPTP or PPPoE these may
be automatically assigned by the ISP and can be left blank.
Note
The firewall can have more than two DNS servers, add more under System >
General Setup after completing the wizard.
Override DNS:
When checked, a dynamic WAN ISP can supply DNS servers which override those
set manually. To force the use of only the DNS servers configured manually,
uncheck this option.

General Information Screen

13
Pfsense firewall

NTP and Time Zone Configuration

The next screen (Figure NTP and Time Zone Setup Screen) has time-related
options.
Time server hostname:
A Network Time Protocol (NTP) server hostname or IP address. Unless a specific
NTP server is required, such as one on LAN, the best practice is to leave the Time
server hostname at the default 2.pfsense.pool.ntp.org. This value will pick a set
of random servers from a pool of known-good NTP hosts.
To utilize multiple time server pools or individual servers, add them in the same
box, separating each server by a space. For example, to use three NTP servers
from the pool,
enter: 0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org
This numbering is specific to how .pool.ntp.org operates and ensures each
address is drawn from a unique pool of NTP servers so the same server does not
get used twice.
Timezone:
Choose a geographically named zone which best matches location of this
firewall, or any other desired zone.
Click >>NEXT to continue.

NTP and Time Zone Setup Screen

WAN Configuration
The next page of the wizard configures the WAN interface of the firewall. This is
the external network facing the ISP or upstream router, so the wizard offers
configuration choices to support several common ISP connection types.

14
Pfsense firewall

WAN Type:
The Selected Type (Figure WAN Configuration) must match the type of WAN
required by the ISP, or whatever the previous firewall or router was configured
to use. Possible choices are Static, DHCP, PPPoE, and PPTP. The default choice
is DHCP because it is the most common, and for most cases this setting allows a
firewall to “Just Work” without additional configuration. If the WAN type is not
known, or specific settings for the WAN are not known, this information must be
obtained from the ISP. If the required WAN type is not available in the wizard, or
to read more information about the different WAN types, see Interface Types
and Configuration.
Note
If the WAN interface is wireless, additional options will be presented by the
wizard which are not covered during this walkthrough of the standard Setup
Wizard. Refer to Wireless, which has a section on Wireless WAN for additional
information. If any of the options are unclear, skip the WAN setup for now, and
then perform the wireless configuration afterward.

WAN Configuration
MAC Address:
This field, shown in Figure General WAN Configuration, changes the MAC
address used on the WAN network interface. This is also known as “spoofing”
the MAC address.
Note
The problems alleviated by spoofing a MAC address are typically temporary and
easily worked around. The best course of action is to maintain the original
hardware MAC address, resorting to spoofing only when necessary.
Changing the MAC address can be useful when replacing an existing piece of
network equipment. Certain ISPs, primarily Cable providers, will not work
properly if a new MAC address is encountered. Some Internet providers require
power cycling the modem, others require registering the new address over the
15
Pfsense firewall

phone. Additionally, if this WAN connection is on a network segment with other

systems that locate it via ARP, changing the MAC to match and older piece of
equipment may also help ease the transition, rather than having to clear ARP
caches or update static ARP entries.
Warning
If this firewall will ever be used as part of a High Availability Cluster, do not
spoof the MAC address.
Maximum Transmission Unit (MTU):
The MTU field, shown in Figure General WAN Configuration, can typically be left
blank, but can be changed when necessary. Some situations may call for a lower
MTU to ensure packets are sized appropriately for an Internet connection. In
most cases, the default assumed values for the WAN connection type will work
properly.
Maximum Segment Size (MSS):
MSS, shown in Figure General WAN Configuration can typically be left blank,
but can be changed when necessary. This field enables MSS clamping, which
ensures TCP packet sizes remain adequately small for a particular Internet
connection.

General WAN Configuration

Static IP Configuration:
If the “Static” choice for the WAN type is selected, the IP address, Subnet Mask,
and Upstream Gateway must all be filled in (Figure Static IP Settings). This
information must be obtained from the ISP or whoever controls the network on
the WAN side of this firewall. The IP Address and Upstream Gateway must both
reside in the same Subnet.

16
Pfsense firewall

Static IP Settings
DHCP Hostname:
This field (Figure DHCP Hostname Setting) is only required by a few ISPs. This
value is sent along with the DHCP request to obtain a WAN IP address. If the
value for this field is unknown, try leaving it blank unless directed otherwise by
the ISP.

DHCP Hostname Setting

PPPoE Configuration:
When using the PPPoE (Point-to-Point Protocol over Ethernet) WAN type
(Figure PPPoE Configuration), The PPPoE Username and PPPoE Password fields
are required, at a minimum. The values for these fields are determined by the
ISP.
PPPoE Username:
The login name for PPPoE authentication. The format is controlled by the ISP, but
commonly uses an e-mail address style such as [email protected].
PPPoE Password:
The password to login to the account specified by the username above. The
password is masked by default. To view the entered password, check Reveal
password characters.
PPPoE Service Name:
The PPPoE Service name may be required by an ISP, but is typically left blank.
When in doubt, leave it blank or contact the ISP and ask if it is necessary.

17
Pfsense firewall

PPPoE Dial on Demand:

This option leaves the connection down/offline until data is requested that
would need the connection to the Internet. PPPoE logins happen quite fast, so
in most cases the delay while the connection is setup would be negligible. If
public services are hosted behind this firewall, do not check this option as an
online connection must be maintained as much as possible in that case. Also
note that this choice will not drop an existing connection.
PPPoE Idle Timeout:
Specifies how much time the PPPoE connection remain up without transmitting
data before disconnecting. This is only useful when coupled with Dial on
demand, and is typically left blank (disabled).
Note
This option also requires the deactivation of gateway monitoring, otherwise the
connection will never be idle.

PPPoE Configuration
PPTP Configuration:
The PPTP (Point-to-Point Tunnelling Protocol) WAN type is for ISPs that require
a PPTP login, not for connecting to a remote PPTP VPN. These settings, much
like the PPPoE settings, will be provided by the ISP. A few additional options are
required:

18
Pfsense firewall

Local IP Address:
The local (usually private) address used by this firewall to establish the PPTP
connection.
CIDR Subnet Mask:
The subnet mask for the local address.
Remote IP Address:
The PPTP server address, which is usually inside the same subnet as the Local
IP address.

PPTP WAN Configuration

These last two options, seen in Figure Built-in Ingress Filtering Options, are
useful for preventing invalid traffic from entering the network protected by this
firewall, also known as “Ingress Filtering”.
Block RFC 1918 Private Networks:
Blocks connections sourced from registered private networks such
as 192.168.x.x and 10.x.x.x attempting to enter the WAN interface . A full list of
these networks is in Private IP Addresses.
Block Bogon Networks:
When active, the firewall blocks traffic from entering if it is sourced from
reserved or unassigned IP space that should not be in use. The list of bogon
networks is updated periodically in the background, and requires no manual
maintenance. Bogon networks are further explained in Block Bogon Networks.

19
Pfsense firewall

Click >>Next to continue once the WAN settings have been filled in.

Built-in Ingress Filtering Options

LAN Interface Configuration
This page of the wizard configures the LAN IP Address and Subnet
Mask (Figure LAN Configuration).
If this firewall will not connect to any other network via VPN, the
default 192.168.1.0/24 network may be acceptable. If this network must be
connected to another network, including via VPN from remote locations, choose
a private IP address range much more obscure than the common default
of 192.168.1.0/24. IP space within the 172.16.0.0/12 RFC 1918 private address
block is generally the least frequently used, so choose something
between 172.16.x.x and 172.31.x.x to help avoid VPN connectivity difficulties.
If the LAN is 192.168.1.x and a remote client is at a wireless hotspot
using 192.168.1.x (very common), the client will not be able to communicate
across the VPN. In that case, 192.168.1.x is the local network for the client at the
hotspot, not the remote network over the VPN.
If the LAN IP Address must be changed, enter it here along with a new Subnet
Mask. If these settings are changed, the IP address of the computer used to
complete the wizard must also be changed if it is connected through the LAN.
Release/renew its DHCP lease, or perform a “Repair” or “Diagnose” on the
network interface when finished with the setup wizard.

20
Pfsense firewall

LAN Configuration
Click >>Next to continue.
Set admin password
Next, change the administrative password for the GUI as shown in Figure Change
Administrative Password. The best practice is to use a strong and secure
password.
Warning
This password cannot be set to the same value as the username.
Additionally, on pfSense Plus software version 24.03 and later, the password
cannot be set to the default value (Default Username and Password).
Enter the password in the Admin Password and confirmation box to be sure
that has been entered correctly.
Warning
On pfSense Plus software version 24.03 and later changing the password
is mandatory. The wizard will not proceed until the password is changed.
Click >>Next to continue.
**Warning
Do not leave the password set to the default pfsense. If access to the firewall
administration via GUI or SSH is exposed to the Internet, intentionally or
accidentally, the firewall could easily be compromised if it still uses the default
password.

Change Administrative Password

21
Pfsense firewall

Completing the Setup Wizard

That completes the setup wizard configuration. Click Reload (Figure Reload the
GUI) and the GUI will apply the settings from the wizard and reload services
changed by the wizard.

Reload the GUI

NOTE:
If the LAN IP address was changed in the wizard and the wizard was run from
the LAN, adjust the client computer’s IP address accordingly after
clicking Reload.
When prompted to login again, enter the new password. The username
remains admin.
After reloading, the final screen of the wizard includes convenient links to
check for updates, get support, and other resources. Click Finish to complete
and exit the wizard.
At this point the firewall will have basic connectivity to the Internet via the
WAN and clients on the LAN side will be able to reach Internet sites through
this firewall.
If at any time this initial configuration must be repeated, revisit the wizard
at System > Setup Wizard from within the GUI.

22
Pfsense firewall

Managing Lists in the GUI:

The pfSense® software GUI has a common set of icons which are used for
managing lists and collections of objects throughout the firewall. Not every icon
is used in every page, but their meanings are consistent based on the context in
which they are seen. Examples of such lists include firewall rules, NAT rules,
IPsec, OpenVPN, and certificates.

:Add a new item to a list

:Add an item to the beginning of a list

:Add an item to the end of a list

:Edit an existing item

:Copy an item (create a new item based on the selected item)

:Disable an active item

:Enable a disabled item

:Delete an item

:Used for moving entries after selecting one or more items. Click to move
the selected items above this row. Shift-click to move the selected items below
this row.

23
Pfsense firewall

General Configuration Options

System > General Setup contains basic configuration options for pfSense®
software. A few of these options are also found in the Setup Wizard.
Hostname:
The Hostname is the short name for this firewall, such as firewall1, hq-fw,
or site1. The name must start with a letter and it may contain only letters,
numbers, or a hyphen.
Domain:
The Domain name for this firewall, e.g. example.com . If this network does not
have a domain, use <something>.home.arpa, where <something> is another
identifier: a company name, last name, nickname, etc. For
example, company.home.arpa
The Hostname and Domain name are combined to make up the Fully Qualified
Domain Name (FQDN) of this firewall. For example, if the Hostname is fw1 and
the Domain is example.com, then the FQDN is fw1.example.com.
DNS Server Settings
Options in this section control how the firewall resolves hostnames using DNS.
Note:
The DNS Resolver is active by default and uses resolver mode (DNS Resolver
Mode). When set this way the DNS Resolver does not need forwarding DNS
servers as it will communicate directly with root DNS servers and other
authoritative DNS servers.
To use the servers in this list, switch the DNS resolver to forwarding mode. The
DNS Forwarder (DNS Forwarder) only supports forwarding mode and will always
use the servers from this list.
DNS Servers
This page supports multiple DNS servers managed as a list. To add more DNS
servers, click Add DNS Server. To remove an entry from the list,
click Delete.
The DNS server list may be left blank if the DNS Resolver is active in its default
resolver mode. If this firewall has a dynamic WAN type such as DHCP or PPPoE

24
Pfsense firewall

these servers may be automatically assigned by the ISP and can also be left
blank.
Each DNS server entry has the following properties:
Address:
The IP address of the DNS Server.
Hostname:
The FQDN of the DNS server, used to validate DNS server certificates when using
DNS over TLS (DNS Resolver Configuration).
Gateway:
The gateway through which the firewall will reach this DNS server.
This is useful in a multi-WAN scenario where, ideally, the firewall will have at
least one DNS server configured per WAN. More information on DNS for Multi-
WAN can be found in DNS Forwarding and Static Routes.
DNS Resolution Behaviour:
These options fine tune the way the firewall utilizes DNS servers.
DNS Server Override:
When checked, a dynamic WAN ISP can supply DNS servers which override those
set manually. To force the use of only the DNS servers on this page, uncheck this
option. This does not apply to the DNS Resolver when acting in resolver mode.
DNS Resolution Behaviour:
This option controls how the firewall itself resolves DNS queries.
Use Local DNS (127.0.0.1), fall back to remote DNS Servers (Default):
By default, the firewall will consult the DNS Resolver or DNS Forwarder running
on this firewall to resolve hostnames for itself. It does this by listing localhost
(127.0.0.1) as its first DNS server internally. If the local DNS server is
unreachable, the firewall will send queries directly to the DNS servers configured
on this page, or those received from dynamic WANs.
This method gives the firewall the best chance of having working DNS.
Use Local DNS (127.0.0.1), ignore remote DNS Servers:

25
Pfsense firewall

Like the option above, this option will make the firewall use its own DNS Resolver
or DNS Forwarder to resolve hostnames. However, it will not attempt to use any
other server.
This option is more secure as it forces DNS to be resolved using the configuration
on the DNS Resolver or DNS Forwarder, which may have special requirements
restricting or redirecting name resolution. For example, if the DNS Resolver is
configured for DNS over TLS, using this option ensures that the firewall will not
send queries to DNS servers without using TLS.
Use remote DNS Servers, ignore local DNS:
This option forces the firewall to use the DNS servers configured on this page or
from dynamic WANs and it will not utilize the local DNS Resolver or DNS
Forwarder.
This option is useful when the local DNS service is configured in a strict manner
to control client behaviour, but the firewall still needs unrestricted access to DNS
for tasks such as updates and installing packages.
Localization
Options in this section control the firewall clock and language.
Time Zone:
The time zone used by the firewall for its clock. Choose a geographically named
zone which best matches location of this firewall, or a common zone such as
UTC. The firewall clock, log entries, and other areas of the firewall base their
time on this zone.
Note:
Changing the zone requires a reboot to fully activate the new zone in all areas of
the firewall.
Avoid using the GMT +/- zones as they do not operate in an intuitive manner.
See Troubleshooting Time Zone Configuration for more information.
Time Servers:
Network Time Protocol (NTP) server hostnames or IP addresses. Unless a specific
NTP server is required, such as one on LAN, the best practice is to leave the Time
Servers value at the default 2.pfsense.pool.ntp.org. This value will pick random
servers from a pool of known-good IPv4 and IPv6 NTP hosts.

26
Pfsense firewall

To utilize multiple time servers or pools, add them in the same box, separating
each entry by a space. For example, to use three NTP servers from the pool,
enter:
0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org
This numbering is specific to how .pool.ntp.org operates and ensures each
address is drawn from a unique pool of NTP servers so the same server does not
get used twice.
Language:
The language used by the GUI. The GUI has been translated into multiple
languages in addition to the default English language.
web Configurator
Options in this section control various behaviours of the web-based GUI, which
can be referred to as the GUI, Web GUI, or web Configurator.
Theme:
The Theme controls the look and feel of the GUI. Several themes are included in
the base system, and they only make cosmetic not functional changes to the GUI.
Top Navigation:
This option controls the behaviour of the menu bar at the top of each page.
There are two possible choices:
Scrolls with page:
The default behaviour. When the page scrolls, the navigation remains at the top
of the page, so it is no longer visible as it scrolls off the top of the window.
This is the best option for most situations.
Fixed:
When selected, the navigation remains fixed at the top of the window, always
visible and available for use.
This behaviour can be convenient, but can be problematic on smaller screens
such as tablets and mobile devices. On low resolution browsers long menus can
be cut off, leaving options at the bottom unreachable.

27
Pfsense firewall

Hostname in Menu:
Chooses if and how the GUI includes the firewall hostname in the menu. This can
aid in quickly identifying a firewall when managing multiple firewalls in separate
tabs or windows, but it consumes extra space in the menu.
Default (No hostname):
The GUI does not display the hostname or FQDN in the menu.
Hostname Only:
When set, the GUI includes the firewall Hostname (no domain name) in the
menu.
If all firewalls are in the same domain, or if they have unique hostnames, this
may be sufficient.
Fully Qualified Domain Name:
When set, the GUI includes the Fully Qualified Domain Name of the firewall in
the menu.
This takes more space than displaying the hostname portion alone, but may be
necessary to properly distinguish firewalls if they use similar hostnames in
multiple domains.
Dashboard Columns:
The dashboard is limited to 2 columns by default. On wider displays, additional
columns can utilize extra horizontal screen space. The maximum number of
columns is 4.
Interfaces Sort:
When unset (default), the GUI presents interfaces in their natural order from the
configuration. This is critical for functions such as High Availability which require
specific interface ordering. When this option is set, the GUI sorts the interface
list alphabetically.
Associated Panels Show/Hide:
A few GUI pages contain collapsible panels with settings or functions. These
panels take up extra screen space so they are hidden by default. For firewall
administrators who use the panels frequently, this can be slow and inefficient.

28
Pfsense firewall

The options in this group make the GUI show these panels by default instead of
hiding them.
Available Widgets:
Controls the Available Widgets panel on the Dashboard.
Log Filter:

Controls the log filtering ( ) panel used for searching log entries under Status
> System Logs.
Manage Log:

Controls the per-log settings in the Manage Log ( ) panel available for each log
under Status > System Logs.
Monitoring Settings:
Controls the options panel used to change the graphs at Status > Monitoring.
Require State Filter:
When set, the state table contents at Diagnostics > States are suppressed by the
GUI unless a filter string is present. This helps the GUI handle large state tables
which otherwise may fail to load.
Left Column Labels:
When checked, the option labels in the left column are set to toggle options
when clicked. This can be convenient if the firewall administrator is used to the
behaviour, but it can also be problematic on mobile or in cases when the
behaviour is unexpected.
Alias Popups:
When set, the tooltip presented by the GUI when hovering over an alias in a rule
list only shows the alias description. When unset, the contents of the alias are
included in the tooltip. For firewalls with large aliases, this may cause
performance or browser rendering issues.
Disable Dragging:
When set, the GUI disables drag-and-drop on rule lists. Most users find drag-
and-drop to be convenient and beneficial, thus the feature is enabled by default.
Users who find the behaviour undesirable can set this option.

29
Pfsense firewall

Login Page Colour:

Controls the colour of the login page, which is independent of the theme.
Login Hostname:
When set, the GUI includes the hostname on the login form.

30