Installing pfSense on a Protectli appliance

For this article we will be installing pfSense 2.4.4-p1 on a Protectli Model-FW4A-04-32. The protectli was loaned to us for testing and as of this article, pfsense 2.4.4-pi is the latest stable version.

This post is by no means an exhaustive tutorial on pfSense and protectli devices. It is primarily for our education to understand the basics of this solution for possible deployment in the field for our clients. With that said, we hope some of you find it useful. 

Getting the Hardware

The first step is building and/or purchasing the hardware. Make sure to research what features you’ll need and what will be required to power it. Netgate is the official hardware vendor for the pfSense software and offer multiple tiers of technical support. However, there are other options like the Protectli device that we will be using that work very well with pfSense. There are rumors that Raspberry PI might even be supported some day, but there seems to be some technical challenges around the NIC design and ARM speed at this time, but progress is made almost daily. You can also build your own device using the hardware guide here.

Netgate

Based out of Austin, TX and the developer of pfSense since 2012, they offer stock devices and customized devices.

>> Visit the site

Protectli

Based out of Carlsbad, CA, Protectli manufactures small, fanless firewall devices and works well with pfSense.

>> Visit the site

Custom Build

If you are a DIY builder of computer devices and would like to create your own, here are the specs needed.

>> Visit the site

Getting the pfSense Image

The first step is to get the pfSense image, the second step is to load it onto a USB Flash Drive to load onto your Hardware device.

Getting the Image

Downloading the Image

Visit the pfSense website to get the lastest stable version. The architecture supported at this time are either the AMD 64-bit or Netgate ADI (Serial only). You can either use a Memory stick (USB Appliances) or CD Image (Virtual Machines/CD-ROMs) for the image. Each image includes an installer for installing pfSense onto the hard drive of your system. Select either VGA or console for your installation.

>> Latest stable pfSense version <<

You can also download the Source Code and read the Release Notes. There is a forum here as well for more information or to post any questions. The checksum info is available here.

Prepping the Image

USB Memory Stick

For our testing, we chose the USB Memstick Installer. After installation, we checked the sha256 hash and its signature.

pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz”

We highly recommend using “The Image Tool” from Alex’s Coding Payground. It makes the process much easier. 

>> The Image Tool <<

Once you have downloaded the image tool, use the option to “Restore” the pfsense Memstick .gz image to the USB Memory Stick. The process will create 3 partitions. On our Windows machine, it prompted to format one of the partitions, it is okay to ignore.

 

Example Configuration

This is an example configuration for our testing as of 2-24-2019.

THE IMAGE TOOL

Here is a screenshot of the Image Tool restoring the Image file.

Installing the pfSense Image

After the image has been downloaded and installed to a Memory Stick. the next step is to install it onto our Hardware Device.

Installing the pfSense Image

USB Memory Stick

INSTALLING the Image TO HDD

With our USB Memory Stick in hand, we plugged it into our Protectli device and started it up. Since there were only 2 USB ports, we plugged our Memory Stick in one and the Keyboard into the other. Our install started automatically, but there is an option at first Boot up to select Boot Options (6)

STEP 1 – LICENSING

The FIRST screen is the License Agreement, click ACCEPT to proceed.

STEP 2 – RUN MODE

The SECOND screen are the Install options. The first is the main INSTALL option, and the other 2 are for rescue and recovery. 

STEP 3 – KEYMAPPING

The THIRD screen is for the keymapping (language)

STEP 4 – PARTITIONING

The FOURTH screen is for partitioning. You can elect to have the system guide your through this process or you can perform the process manually. You can also open a Shell or use Guided-Root. It will then ask if you want to use and format the entire disk. 

STEP 5 – SCHEME

The FIFTH screen is for the Partition Scheme which includes an Apple Partition Map, BSD labels, GPT (default), DOS Partitions, NEC and Sun Partition Tables. 

STEP 6 – FINISH

The SIXTH screen is for reviewing the partitions. If you chose automatic and the defaults you can select (F)inish to proceed. You will see the various progress bars as the system installs. It took about 3 minutes for the entire process on our device. When finished, reboot the system or open the shell for any modifications.

Using the System

CONFIGURING THE BASICS

Once the image has been installed and the device rebooted, the default LAN IP address will be set to 192.168.1.1/24. At the Main Menu, you can select (2) to change that to a different address. In this wizard, you can also enable the DHCP Server on the LAN port. 

Access the Setup Wizard in a browser using the LAN IP. The default username is admin, and the default password is pfsense. 

STEP 1 – SUPPORT

The FIRST screen will display information about getting technical support for your new setup.

STEP 2 – GENERAL

The SECOND screen will allow you to set the hostname, domain (optional) and the DNS config (Manual or Override from WAN).

STEP 3 – TIME SERVER

The THIRD screen will allow you to set the default Time Server Hostname and the Time Zone. 

STEP 4 – WAN CONFIG

The FOURTH screen is for configuring all the WAN options including the Interface (Static or DHCP), MAC Spoofing, MTU, PPOE and PPTP.

STEP 5 – LAN CONFIG

The FIFTH screen is for configuring the LAN IP and subnet mask. 

STEP 6 – PASSWORD

The SIXTH screen is for changing the admin password. After changing the default password to your own, reload the device with the new settings and you are ready for basic use. The final page displays options for Support, Checking for Updates and some additional resources for using pfSense. Click FINISH when done. 

 

 

Using the pfSense Dashboard

The Dashboard is where you can configure all the settings for pfSense.

System

ADVANCED > Admin Access, NAT, Notifications, etc.
CERTIFICATE MANAGER > Includes self-signed cert.
GENERAL SETUP > Hostname, DNS, Time, Theme,
HIGH AVAILABILITY > Sync 2 pfsense devices.
PACKAGE MGR > Install plug-ins for more functions.
ROUTING > Gateways and Static Routes.
SETUP WIZARD > Can run the Wizard again.
UPDATE > Make sure the pfSense if up-to-date.
USER MGR > Users, Groups, permissions, RADIUS.

Interfaces

ASSIGNMENTS > Ports, WiFi, VLANs, Groups, GREs.
WAN > Enable, Type, Client Config, Reserved Network
LAN > Enable, DHCP Server, Reserved Networks. 

Firewall

ALIASES > IPs, Ports and URLs.
NAT > Port Forwarding, 1:1, Outbound, NPt
RULES > Floating, WAN and LAN.
SCHEDULES > Automatic Actions.
TRAFFIC SHAPER > Interface, Queue, Limiters, Wizard.
VIRTUAL IPs > WAN, LAN and passwords, etc.

Services

AUTO BACKUP > Settings, Restore, Backup Now
CAPTIVE PORTAL > Guest Users web page redirect.
DHCP RELAY (4,6) > Enable DHCP relay on LAN int.
DHCP SERVER (4,6) > Enable, Range, Servers, Options.
DNS FORWARDER > Enable, Listen Port, Overrides.
DNS RESOLVER > General, Advanced Settings, Access.
DYNAMIC DNS > Static IP service for non-static WANs.
IGMP PROXY > Enable, Proxy Settings.
LOAD BALANCER > Pools, Virtual Servers, Settings.
NTP > Time Servers, ACLs, Serial GPS, PPS.
PPPoE Server > For PPPoE clients, enable, set Firewall
SNMP – Traps, Settings, Bindings.
UPNP & NAT-PMP > Port Mapping, Access Control.
WAKE-ON-LAN > LAN, Mac Address, Devices.

VPN

IPSEC > Tunnels, Mobile, Pre-Shared Keys, Advanced.
L2TP > Enable, Settings, Users, Authentication, etc.
OPENVPN > Server, Clients, and Client Wizard.

Status

CAPTIVE PORTAL
CARP (FAILOVER)
DASHBOARD
DHCP (4,6) LEASES 
DNS RESOLVER
FILTER RELOAD
GATEWAYS
INTERFACES
IPSEC
LOAD BALANCER
MONITORING
NTP 
OPENVPN
PACKAGE LOGS
QUEUES
SERVICES
SYSTEM LOGS
TRAFFIC GRAPH
UPNP & NAT-PMP

Diagnostics

ARP TABLE
AUTHENTICATION
BACKUP & RESTORE
COMMAND PROMPT
DNS LOOKUP
FACTORY DEFAULTS
SHUTDOWN & REBOOT
PACKET CAPTURE
PFINFO, PFTOP, PING &TRACE ROUTE
ROUTES, SOCKETS, STATUS & TABLES

Help

About, Bugs, Support, Documentation, User Forum.

More pfSense Details

The drill down on the items in the previous sections.

A

DHCP Reservations

pfSense doesn’t offer traditional DHCP reservations within the DHCP pool. It has to be outside of it. This is a different approach than what most home and SMB routers take, and can be a bit confusing at times for those coming from that environment over to pfSense for the first time. Most of those consumer and SMB routers allow you to set a static DHCP assignment inside of the DHCP pool, and some will only allow the assignments inside the DHCP pool. The way we handle this on most pfSense setups is simply to start the DHCP pool at .50 or so, reserving the first .2-.49 for for statics. 

A

Snort IPS

Snort is a free Package that can be installed under the SYSTEM > PACKAGE MANAGER section. Once installed you can find it listed under the Package Manager and the SERVICES section. You can configure the settings under the SERVICES > SNORT section.