Installing pfSense on a Protectli appliance
For this article we will be installing pfSense 2.4.4-p1 on a Protectli Model-FW4A-04-32. The protectli was loaned to us for testing and as of this article, pfsense 2.4.4-pi is the latest stable version.
This post is by no means an exhaustive tutorial on pfSense and protectli devices. It is primarily for our education to understand the basics of this solution for possible deployment in the field for our clients. With that said, we hope some of you find it useful.
Getting the Hardware
The first step is building and/or purchasing the hardware. Make sure to research what features you’ll need and what will be required to power it. Netgate is the official hardware vendor for the pfSense software and offer multiple tiers of technical support. However, there are other options like the Protectli device that we will be using that work very well with pfSense. There are rumors that Raspberry PI might even be supported some day, but there seems to be some technical challenges around the NIC design and ARM speed at this time, but progress is made almost daily. You can also build your own device using the hardware guide here.
Netgate
Based out of Austin, TX and the developer of pfSense since 2012, they offer stock devices and customized devices.
Protectli
Based out of Carlsbad, CA, Protectli manufactures small, fanless firewall devices and works well with pfSense.
Custom Build
If you are a DIY builder of computer devices and would like to create your own, here are the specs needed.
Getting the pfSense Image
The first step is to get the pfSense image, the second step is to load it onto a USB Flash Drive to load onto your Hardware device.
Getting the Image
Downloading the Image
Visit the pfSense website to get the lastest stable version. The architecture supported at this time are either the AMD 64-bit or Netgate ADI (Serial only). You can either use a Memory stick (USB Appliances) or CD Image (Virtual Machines/CD-ROMs) for the image. Each image includes an installer for installing pfSense onto the hard drive of your system. Select either VGA or console for your installation.
>> Latest stable pfSense version <<
You can also download the Source Code and read the Release Notes. There is a forum here as well for more information or to post any questions. The checksum info is available here.
Prepping the Image
USB Memory Stick
For our testing, we chose the USB Memstick Installer. After installation, we checked the sha256 hash and its signature.
pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz”
We highly recommend using “The Image Tool” from Alex’s Coding Payground. It makes the process much easier.
Once you have downloaded the image tool, use the option to “Restore” the pfsense Memstick .gz image to the USB Memory Stick. The process will create 3 partitions. On our Windows machine, it prompted to format one of the partitions, it is okay to ignore.
Installing the pfSense Image
After the image has been downloaded and installed to a Memory Stick. the next step is to install it onto our Hardware Device.
Installing the pfSense Image
USB Memory Stick
INSTALLING the Image TO HDD
With our USB Memory Stick in hand, we plugged it into our Protectli device and started it up. Since there were only 2 USB ports, we plugged our Memory Stick in one and the Keyboard into the other. Our install started automatically, but there is an option at first Boot up to select Boot Options (6)
STEP 1 – LICENSING
The FIRST screen is the License Agreement, click ACCEPT to proceed.
STEP 2 – RUN MODE
The SECOND screen are the Install options. The first is the main INSTALL option, and the other 2 are for rescue and recovery.
STEP 3 – KEYMAPPING
The THIRD screen is for the keymapping (language)
STEP 4 – PARTITIONING
The FOURTH screen is for partitioning. You can elect to have the system guide your through this process or you can perform the process manually. You can also open a Shell or use Guided-Root. It will then ask if you want to use and format the entire disk.
STEP 5 – SCHEME
The FIFTH screen is for the Partition Scheme which includes an Apple Partition Map, BSD labels, GPT (default), DOS Partitions, NEC and Sun Partition Tables.
STEP 6 – FINISH
The SIXTH screen is for reviewing the partitions. If you chose automatic and the defaults you can select (F)inish to proceed. You will see the various progress bars as the system installs. It took about 3 minutes for the entire process on our device. When finished, reboot the system or open the shell for any modifications.
Using the System
CONFIGURING THE BASICS
Once the image has been installed and the device rebooted, the default LAN IP address will be set to 192.168.1.1/24. At the Main Menu, you can select (2) to change that to a different address. In this wizard, you can also enable the DHCP Server on the LAN port.
Access the Setup Wizard in a browser using the LAN IP. The default username is admin, and the default password is pfsense.
STEP 1 – SUPPORT
The FIRST screen will display information about getting technical support for your new setup.
STEP 2 – GENERAL
The SECOND screen will allow you to set the hostname, domain (optional) and the DNS config (Manual or Override from WAN).
STEP 3 – TIME SERVER
The THIRD screen will allow you to set the default Time Server Hostname and the Time Zone.
STEP 4 – WAN CONFIG
The FOURTH screen is for configuring all the WAN options including the Interface (Static or DHCP), MAC Spoofing, MTU, PPOE and PPTP.
STEP 5 – LAN CONFIG
The FIFTH screen is for configuring the LAN IP and subnet mask.
STEP 6 – PASSWORD
The SIXTH screen is for changing the admin password. After changing the default password to your own, reload the device with the new settings and you are ready for basic use. The final page displays options for Support, Checking for Updates and some additional resources for using pfSense. Click FINISH when done.
Using the pfSense Dashboard
The Dashboard is where you can configure all the settings for pfSense.
System
ADVANCED > Admin Access, NAT, Notifications, etc.
CERTIFICATE MANAGER > Includes self-signed cert.
GENERAL SETUP > Hostname, DNS, Time, Theme,
HIGH AVAILABILITY > Sync 2 pfsense devices.
PACKAGE MGR > Install plug-ins for more functions.
ROUTING > Gateways and Static Routes.
SETUP WIZARD > Can run the Wizard again.
UPDATE > Make sure the pfSense if up-to-date.
USER MGR > Users, Groups, permissions, RADIUS.
Interfaces
ASSIGNMENTS > Ports, WiFi, VLANs, Groups, GREs.
WAN > Enable, Type, Client Config, Reserved Network
LAN > Enable, DHCP Server, Reserved Networks.
Firewall
ALIASES > IPs, Ports and URLs.
NAT > Port Forwarding, 1:1, Outbound, NPt
RULES > Floating, WAN and LAN.
SCHEDULES > Automatic Actions.
TRAFFIC SHAPER > Interface, Queue, Limiters, Wizard.
VIRTUAL IPs > WAN, LAN and passwords, etc.
Services
AUTO BACKUP > Settings, Restore, Backup Now
CAPTIVE PORTAL > Guest Users web page redirect.
DHCP RELAY (4,6) > Enable DHCP relay on LAN int.
DHCP SERVER (4,6) > Enable, Range, Servers, Options.
DNS FORWARDER > Enable, Listen Port, Overrides.
DNS RESOLVER > General, Advanced Settings, Access.
DYNAMIC DNS > Static IP service for non-static WANs.
IGMP PROXY > Enable, Proxy Settings.
LOAD BALANCER > Pools, Virtual Servers, Settings.
NTP > Time Servers, ACLs, Serial GPS, PPS.
PPPoE Server > For PPPoE clients, enable, set Firewall
SNMP – Traps, Settings, Bindings.
UPNP & NAT-PMP > Port Mapping, Access Control.
WAKE-ON-LAN > LAN, Mac Address, Devices.
VPN
IPSEC > Tunnels, Mobile, Pre-Shared Keys, Advanced.
L2TP > Enable, Settings, Users, Authentication, etc.
OPENVPN > Server, Clients, and Client Wizard.
Status
CAPTIVE PORTAL
CARP (FAILOVER)
DASHBOARD
DHCP (4,6) LEASES
DNS RESOLVER
FILTER RELOAD
GATEWAYS
INTERFACES
IPSEC
LOAD BALANCER
MONITORING
NTP
OPENVPN
PACKAGE LOGS
QUEUES
SERVICES
SYSTEM LOGS
TRAFFIC GRAPH
UPNP & NAT-PMP
Diagnostics
ARP TABLE
AUTHENTICATION
BACKUP & RESTORE
COMMAND PROMPT
DNS LOOKUP
FACTORY DEFAULTS
SHUTDOWN & REBOOT
PACKET CAPTURE
PFINFO, PFTOP, PING &TRACE ROUTE
ROUTES, SOCKETS, STATUS & TABLES
Help
About, Bugs, Support, Documentation, User Forum.
More pfSense Details
The drill down on the items in the previous sections.
DHCP Reservations
pfSense doesn’t offer traditional DHCP reservations within the DHCP pool. It has to be outside of it. This is a different approach than what most home and SMB routers take, and can be a bit confusing at times for those coming from that environment over to pfSense for the first time. Most of those consumer and SMB routers allow you to set a static DHCP assignment inside of the DHCP pool, and some will only allow the assignments inside the DHCP pool. The way we handle this on most pfSense setups is simply to start the DHCP pool at .50 or so, reserving the first .2-.49 for for statics.
Snort IPS
Snort is a free Package that can be installed under the SYSTEM > PACKAGE MANAGER section. Once installed you can find it listed under the Package Manager and the SERVICES section. You can configure the settings under the SERVICES > SNORT section.