Pfsense Server

This section will guide you through selecting your hardware, the initial pfSense configuration, and installing pfSense to your hard drive

Booting and Media Embedded The embedded builds are made for embedded hardware platforms like the popular PC-Engines ALIX or WRAP and Soekris 4X01 amongst many other suitable platforms. Before you begin with pfSense 1.2.3 NanoBSD images, you might want to check out the following articles: 1. NanoBSD on WRAP 2. ALIX BIOS Update Procedure Special Information 1. Provided as flashable image (can be written to CF-Card, USB-Stick, harddisk, disk-on-module, ...) 2. Read-only filesystem due to limited write cycles of flash media, will only be mounted to write the configuration file or for small, infrequent alterations. 3. Video and keyboard is disabled as some embedded systems don't have this hardware. 4. All console output is at COM1 and 9600 baud (use a nullmodem-cable to connect with a terminal emulation like PuTTY, terraterm, or hyperterminal). 5. Package support starting with NanoBSD-based images for pfSense 1.2.3 and newer. Only for packages which have been altered to work with limited writes. 6. Small footprint: 512MB boot media is sufficient, 128MB for older (1.2.2 and earlier) embedded images. Writing the image You can download the embedded image from one of the pfSense mirrors. Windows When using a windows machine the easiest way to write your media is with physdiskwrite. Place physdiskwrite and the pfSense image in the same folder. Attach the media you want to store pfSense on (i.e. CF-Reader and CF-Card). Then issue the following command:

physdiskwrite pfSense-1.2.3-RELEASE-xg-nanobsd.img.gz Physdiskwrite will show you a numbered list of suitable devices (USB-stick, CF-cards in USB-readers, harddisks,...). Enter the number of the desired media. Linux For Linux machines, use the built in dd command from a terminal shell. Extract the downloaded gzipped archive first withunp.

unp pfSense-1.2.3-RELEASE-xg-nanobsd.img.gz

If the convenience utility unp is not installed, use gunzip instead. The img file is a raw copy of the target compact flash disk, including the partition table, mbr, boot sectors and file system. Write it to your media with dd.

dd if=pfSense-2.0.1-RELEASE-1g-i386-nanobsd.img of=/dev/sdz You will need to amend if= (input file) when your downloaded file name varies. Destination of= (output file) is where the image is written to. It should be a block device, and the first 1Gb will be overwritten. It is set to the seldom used sdz in the above example, to prevent accidental overwrite if the command is pasted directly. Use df or lsusb to determine the device name for your compact flash. WARNING By choosing the wrong destination you might wipe one of your hard disks! Check and recheck your selection again!! PXE Some Alix boards can PXE boot from the network. If you boot a sysresccd serial console image, you could then write the pfSense image to the compact flash with the above steps, without having to physically remove it from the firewall device. You can auto start script sysresccd, and could therefore clean install and customize many firewall devices unattended. Booting pfSense the first time Before attempting to boot, if you are using NanoBSD (pfSense 1.2.3 or newer) on ALIX hardware, ensure you have the latest BIOS (at least 0.99h) and set CHS mode in the BIOS. After your media is successfully written, place it in your system as bootmedia. Check your BIOS to select the correct boot priority and configure the device. If everything is configured correctly you should see the kernel beginning to load. At systems with VGA the output will stop displaying a "/" at the screen. From that point on all output is at COM1. Please check the bootup process there by using a null modemcable and a terminal program. The image has a default config that works with the ALIX and the SOEKRIS. With these platforms simply connect a client to the LAN Interface and it gets an IP by DHCP. You can access pfSense at 192.168.1.1. Logon with user "admin" and password "pfsense". If you are using a direct connect from your client to the pfSense interface remember that you need a crossover cable. For other systems please continue at "Initial pfSense configuration" as you most likely have to assign interfaces before you can access pfSense's webgui.

Tutorial for setting up a PC-Engines WRAP A tutorial how to set up pfSense for a PC-Engines WRAP can be found here.

LiveCD / Hard Drive The LiveCD can be used to evaluate pfSense. You need a CD-Burner and a CD-Writing application that is capable of writing a CD from an iso file like i.e. the free CD Burner XP. A system with at least 2 NICs and a CDROM to boot from is needed. After bootup, you can choose any detected usable media like (floppy, usb-stick, ...) to store your custom config on (Option 98 at the shell menu). The LiveCD is searching on all available medias for the config file on bootup. This way you can run the system from CD and config media only.

The Install option At the same time the LiveCD is the installer which can setup pfSense to your hard disk. It's recommended that you first configure pfSense before you run the installer (option 99 at the shell menu).

Virtual Machine Install You can install pfSense in a VM, and use either entirely within the host (in which case you will not need any additional NICs) or to connect to physical networks (when you will need extra NICs as you would for a normal installation). There is a detailed guide to setting up pfSense under VMWare server, running under Windows server 2003Installing_pfSense_in_vmware_under_windows

Initial pfSense configuration Assigning Interfaces The first time pfSense boots up it will ask you to assign the interfaces if it has not found a configfile or interface configuration is different from what was found in the config file. VLANS You now have the option to assign VLANs. If you don't need VLANs or don't know what VLANs are choose no here. VLANs are optional and are only needed for advanced networking. You as well need VLAN-capable equipment if you plan to use it. (better description and config steps still needed here) LAN, WAN, OPTx The first interface it asks you to assign is the LAN interface. If you know the interface you want to assign LAN to enter the name of the interface like "fxp0" and hit enter. The second interface you have to assign is the WAN interface. Enter the appropriate interface like "fxp1" and hit enter again. You at least need two interfaces (LAN and WAN) to setup pfSense. If you have more interfaces available you can go on and assign them as OPTx interfaces. The procedure is the same like for the already assigned interfaces. Auto Assign Procedure There is another procedure to assign interfaces which is especially designed if your nics are all of the same kind and you don't know which physical nic matches which detected nic as they all then will appear for example as fxpX. In this case you simply can enter "a" when you are asked for the nic name. pfSense now is waiting for a linkup event at one of the nics. Just plug in a cable to the nic you want to assign and wait for the link light to turn on at the nic. Hit enter after that. pfSense has detected the linkup and you can continue with the next interface. If you have no more interfaces left just hit enter without entering a NIC name and apply the settings by confirming them with "y".

Finishing steps pfSense now will make the finishing touches to configure the interfaces.

After it went through the configuration you'll end up with a shell menu and a number of options. pfSense now is ready to be accessed at the interface you assigned as LAN with the webgui.

pfSense default configuration By default pfSense will have the following configuration.     

WAN is configured as DHCP client, all incoming connections are blocked by default. LAN is configured at 192.168.1.1/24 and acts as DHCP-Server and offers a DNS-forwarder. OPTx interfaces are disabled, you have to enable and configure them at the webgui. WebGUI runs at port 80, username is "admin", password "pfsense". SSH is disabled.

Storing your configfile on a writable media If you are planning to run the LiveCD with a writable configmedia run option 98 to assign the drive that should hold your configfile. The LiveCD will browse all available medias on bootup for a valid configfile and use it if found.

Accessing the webgui You now should modify the configuration to fit your needs at the webgui. Make sure your client got an IP and use your favourite browser to access http://192.168.1.1 using "admin" as user and "pfsense" as password. The easiest way to go through all the basic settings is to run the setup wizard that can be found in the webgui-menu at System>Setup Wizard.

Installing pfSense to Hard Disk If you are satisfied and want to setup pfSense to your hard drive run option 99 from the shell menu now. The configuration you did will be transferred to the hard drive by the installer. (Basically you can run through the installer by just accepting all suggestions the installer is offering)

First you get some settings to localize your keyboard or change your console appearance. Change what you need or just go one by accepting the settings.

Next pfSense will present a list with detected suitable installmedias to you. Please make sure you are not accidently overwriting data you still need. It's recommended to have a dedicated media only for your install. Any other constelations are not officially supported. Choose your media and hit enter to continue.

You should format the disk to prepare it for the installation. Beware this will whipe your entire media!

At the next step pfSense will show you the detected drive geometry. You should leave this the way it was detected as long as you don't run into any troubles while installing with these settings. In case you get errors try to alter your bios settings befor manually entering values here. Setting your drive from auto to lba or chs in bioas already might help to detect the right settings.

Now you are at the point of no return: Only hit "Format xxX" if you are really sure there is no valuable data left at this media!

The media is now prepared to continue with partitioning. Just hit enter to move on.

pfSense suggests using the complete space of your drive for the installation. You usually should just keep this setting and move on to the next step.

In case your partitioning was the same like before as this is a reinstall confirm the changes.

You typically can confirm the following step. If you encounter problems with the bootloader after the installation is done rerun the installation and check "Packet mode" at this screen.

Select the just created partition as target for your installation.

Confirm this step. In case you skipped the above settings this is the point where your data on the media will be overwritten.

pfSense suggests a setting for your subpartitioning now which you usually should just keep.

After accepting the above settings pfSense is starting to transfer the system to the prepared media.

You will be asked after a short time to remove the CD and reboot the system to boot your new install.

The system is now going down for reboot and your installation is finished

Additional Information