1How To Access Firewall
Web GUI
Open your preferred choice of web browser and navigate to https://<firewall IP Address>
This will display the pfSense login page, enter your admin credentials you will have been sent via support ticket
This now will log in and take you to the main pfSense dashboard
If you are using a server with a graphical interface such as Windows Server you can also do the above using the LAN IP of the pfsense firewall rather than the external IP.
Console
pfSense also provides a console that you can access via KVM or IDRAC (if available on the server) this has a number of options to allow you to manage certain core features or also access a shell for the device.
To do this, either access the firewall via a KVM that can be requested via support or the IDRAC of the server and launch the virtual console.
This will then provide access to the console and you can access whichever option is required from there
2Adding Rule
From the Pfsense dashboard click on Firewall and then Rules, this will take you to the firewall rules overview page where you can see the WAN and LAN interface rules.
Wan rules are for traffic in and out of the firewall from the internet and by default is set to block all unless specifically allowed
Please note: you may see some rules here that have our IP addresses in them on the WAN interface, this is done while the firewall is being set up. We would advise on keeping these in place in case we would ever need access in the future.
Lan is for traffic on the local network and by default is normally set to allow all
To add a rule you select the interface you wish to apply the rule on (normally WAN)
The new rule form will pop up and you need to fill in the following:
Action: Pass: (This should be set to pass to allow the traffic
Interface: WAN
Address Family: IPv4
Protocol: This depends on the traffic you are looking to allow, normally it will either be TCP or UDP
Source: By default, this is set to any, however, if you are only looking to allow specific IP addresses access, you can change this to the network/alias option
Destination: by default, this is set to Any, but similar to the source, you can change this to the network/alias option and enter a specific IP address on a server on the LAN to allow the traffic only to that server
Log: This is unticked by default but can be ticked if you want the firewall to log all of the packets for troubleshooting.
Description: Enter a description here regarding the purpose of the rule.
Once you have filled in all of the fields, click on apply and you will be redirected to the main rules overview page.
On here there will now be a box at the top of the rules advising the filter needs to be reloaded to apply the rules, click on apply and wait for the page to refresh.
This will then apply the new rule.
3NAT rules
Nat rules allow for the firewall to translate an internal IP address such as 10,0,10,5 to an externally reachable IP address on the internet. it can be set up in both ways to allow traffic to a specific server on a specific IP, but also to allow that server to show as the external IP when reaching out to the internet.
There are 4 main types of NAT rules in pfSense:
Port Forward: Port forwards allow access to a specific port, port range or protocol on a privately addressed internal network device
1:1: All traffic initiated on the Internet destined for the specified public IP address on the mapping will be translated to the private IP address, and then evaluated against the firewall ruleset on the inbound WAN interface. If matching traffic is permitted by the firewall rules to a target of the private IP address, it will be passed to the internal host.
Outbound NAT: Outbound NAT, also known as Source NAT, controls how pfSense® software will translate the source address and ports of traffic leaving an interface.
NPt: Network Prefix Translation, or NPt for short, works similarly to 1:1 NAT but operates on IPv6 prefixes instead.
Outbound NAT is normally set up during our configuration of the firewall and does not need to be changed unless this is required on your end.
Port Forwards will always take precedence over 1:1 nat rules, as port forwarding rules allow ports through the WAN to the specified IP, whereas the 1:1 just maps the public IP to the internal one with no ports allowed.
Add a port forwarding rule
From the pfSense dashboard click on Firewall and then NAT and then port forward, this will take you to the overview page
Click on the Add button, and the arrows on the button just describe where in the rules table it will go, the up arrow will put the rule at the top and the downwards arrow will put it at the bottom. This means that when the rules are checked by the firewall which ones will be checked first.
Once you have clicked on Add, you will have the NAT rule form open, on this page there is some options that need to be entered
Interface: WAN
Address Family: IPv4
Protocol: by default set to any, and will allow all traffic, We would normally advise setting it to TCP/UDP to allow you to set specific ports rather than just all.
Source: by default, this is set to any, however, you can change this to restrict the source to specific IP addresses. If the protocol is set to TCP or UDP
Destination: In this drop-down select whichever free IP you wish to use, that you added in the Viturtal IP section <link to add IP guide>. If you have selected TCP/UDP as the protocol there will be some port boxes. Here you can enter which port to use, we would advise that if you want to add multiple ports you use a port alias here rather than having multiple rules. <link to port alias page>
Redirect Target IP: This will be the internal IP of the server you are setting the rule up for, for example, 10.0.10.5
Redirect Target Port: This will show if you have selected a protocol rather than any, this allows you to enter what ports to redirect to the server, again we would advise using a port alias if you are looking for multiple ports.
Description: enter a relevant description for the rule here
No XMLRPC Sync: This is unticked by default and only used if the pfSense firewall is set up with a secondary in HA mode
NAT Reflection: This is set to use the system's default
Filter Rule Association: This must be left on and the associated filter rule, as once the NAT rule is applied it will then add the matching rule on the WAN to allow traffic to the ports specified.
Once you have entered the above, click on save and similar to the firewall rules page click on the reload button that appears at the top of the page. Once clicked the page will refresh and the rules will be added.
Add A 1:1 Nat rule
From the Nat overview page click on 1:1 in the top menu bar. This will show you a list of any 1:1 rules that have been set up already.
To add a rule click on Add.
The 1:1 NAT rule form will open up and the following options need set:
Disabled: Leave this unticked to enable the rule
No BINAT (NOT): Leave this unticked
Interface: Leave this as WAN
Address Family: Should be set to IPv4
External Subnet: This would be the external IP you are looking to allow the server to appear as. 1.e. 1.1.1.1
Internal IP: This is the internal IP of the server on the LAN. i.e. 10.0.0.5
Destination: This can be left unticked and set to any
Description: Enter a relevant description for the rule here.
NAT reflection: This should be left as Use system default.
Once you click on save, reload the rules using the box that appears and the rule will then be live.
4Adding Aliases
pfSense allows the user to set up a number of different aliases. This helps to save time when entering multiple ports or IP addresses into rules. and also cuts down on the number of rules that need added when aliases are used.
The alias types offered are:
IP Alias (hosts or networks): This alias type contains a list of IP addresses you wish to have in a group for rules. for example web servers or load balancers or even for specific subnets you want in a group.
Port Alias: This alias type contains a list of ports you wish to have in a group. for example, ports needed by Plesk or cPanel
URLs: With a URL type alias, each entry contains a URL which returns text content containing a list of entries. Multiple URLs may be entered.
All: This will show you all alias rules set up in one place rather than the individual tabs
Add an IP alias
To add an IP alias click on Firewall and then Alias, select the IP tab and then the Add button.
This will bring up the form to add an alias and the following information needs added.
Name: This is the name you wis to give the alias, this will then be used later on when adding the alias to firewall or NAT rules.
Description: Enter a relevant description of the alias here
Type: For IP aliases you can either select Hosts or networks depending on your needs
IP or FQDN/ Network or FQDN: This is where you would enter the IP address or network range you want added to the alias.
If you need more than one entry you can click on the add button at the bottom of the form and it will add another entry.
Once you have filled in all of the relevant information, click on save
Add a Port Alias
To add a port Alias, click on firewall and then Alias, once on this page select the Ports tab and click on the add button
This will bring up the port alias form that is very similar to the IP alias, with the following information needed to be added.
Name: This is the name you want to give the alias, this will then be used later on when adding the alias to firewall or NAT rules.
Description: Enter a relevant description of the alias here
Type: For port alias, this must be set to Port(s)
Port and description: this table allows you to enter what port you wish added into the alias and also a description of the port.
To add multiple ports click on the add port at the bottom of the page and it will add extra blank entries for you to fill in
Add A URL alias.
To add a URL alias, it is very similar to the other alias types, Click on firewall and then alias, select Url and then add.
There are a few different options for Url alias fill this in depending on your needs and when you visit the alias it will return a list of the URLs entered
5Adding Virtual IP Addresses
You can add multiple IP addresses to pfSense as long as you have them free to use.
If you do not have any spare IP addresses, please raise a support ticket requesting the number of IP addresses you require and what you are going to use for them, please note: we do provide up to 5 IP addresses free.
Once you have extra IP addresses you then need to add them to the firewall in order to use them.
To do this click on Firewall and then Virtual IPs
This will take you to the overview page that will show any IP addresses you have already added, to add a new one click on add.
This will bring up the virtual IP form and the following information needs added
Type: Click on IP Alias
Interface: WAN
Address Type: Single IP
Address(es); This would be the IP address provided by the support team and the CIDR format, normally this is /24
Description: enter a relevant description for the new IP here.
Once you have entered all of the information click on the save button and then on the reload button when it appears, this will then add the IP address to the firewall for use.
6Advanced Features
It can be single sub-pages just linking to the guides below
OpenVPN
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html
https://docs.netgate.com/pfsense/en/latest/packages/openvpn-client-export.html
Site to Site VPN
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html
DNS
https://docs.netgate.com/pfsense/en/latest/services/dns/index.html
DHCP
Warning: DHCP should only ever be enabled on the LAN interface, not WAN
https://docs.netgate.com/pfsense/en/latest/services/dhcp/index.html
Package Manager
https://docs.netgate.com/pfsense/en/latest/packages/manager.html
7Back up and restore configuration
pfSense allows for backups to be taken of the firewall configuration so that if anything were to happen you can easily and quickly apply the current working configuration again.
This can be done if a rule is messed up and you need to revert, or even if a hardware issue occurs and a replacement firewall is spun up to replace it
The backup file is created as an XML document and is downloaded to the browser you are currently accessing the firewall on, we would advise on storing this in a secure location.
Take a backup
To take a backup of the current configuration of the firewall click on the Diagnostics tab and then on Backup and Restore.
This will take you to the backup and restore page where you can download the backup or restore one.
Use the following options to take a backup
Backup Area: all
Skip Packages: This is dependent on your needs, you may have installed some extra packages that need to be backed up as well.
Include Extra data: Again this is dependent on your needs, it adds DHCP server leases and captive portal databases if you use them
Bacup SSH Keys: This is ticked by default
Encryption: This should be ticked and a secure unique password entered, this will encrypt the backup and then you should store the password in a secure location.
To download the backup click on Download Configuration as XML
This will then download the file to your browser and you can then store it in a secure location.
Restore a backup
To take a restore a backup click on the Diagnostics tab and then on Backup and Restore.
This will take you to the backup and restore page where you upload the file to be restored
To restore the backup select the following options
Restore area: all
Configuration: File: This lets you browse to the location of the backup XML file on your local machine
Encryption: This should be ticked if it was ticked when you downloaded the backup, and the password used entered again, if no encryption was used when downloading the backup it can be left unticked.
Once you have selected the file and the relevant options, click on restore configuration. This can take some time and the firewall will be rebooted during the restore. After the reboot, the firewall will be reseted back to the configuration provided.
8How to update firewall
pfSense receives regular updates from minor to major version updates, all provided by Netgate who created the software. In order to check for updates the process is:
Info: We highly recommend taking a backup of the current firewall configuration before installing any updates <link to backup page>
How to check and install updates
Checking for updates is quick and easy.
Log into the firewall and wait on the main dashboard page loading, on the dashboard page when first loaded it will check for updates and display them
This will show if a new version is available and also show the cloud icon that will allow you to download and install the update.
Click on the blue cloud icon and it will take you through to the System Update page which shows the current version of the firewall and the pending install version
Click on the confirm button to proceed with the update.
This will take you through to the updater which shows a progress bar that will change with each installed update or package
When the update is finished the firewall will automatically reboot and will refresh the page every 60 seconds until it comes back up.