Perform the Installation¶
This section describes the process of installing pfSense® software to a target drive, such as an SSD or HDD. In a nutshell, this involves booting from the installation memstick, ISO, or optical disc and then completing the installer.
This procedure uses the Netgate Installer.
Note
If the installer encounters an error while trying to boot or install from the installation media, see Troubleshooting Installation Issues.
Prerequisites¶
The following items are requirements to run the installer:
A network connection capable of reaching the Internet
This installer is an online installer and requires Internet connectivity to download installation data from Netgate servers. Currently the installer supports DHCP, static IP address, and PPPoE configurations. Connect the WAN port of the device into a live network connection supporting one of those connectivity types.
See also
Virtual environments may have additional requirements, see the following documents for examples:
See also
Hangouts Archive also covers a variety of relevant topics.
Booting the Install Media¶
For USB memstick installations, insert the USB memstick and then power on the target system. The BIOS may require the disk to be inserted before the hardware boots.
For DVD installations, power on the hardware then place the CD into an optical drive.
Certain systems may need to be nudged to boot from the installer image in different ways. Typically this involves hitting a hotkey during boot to bring up a boot menu, going into the BIOS to pick a boot device, or invoking a special command from a BIOS prompt.
Consult the Netgate Product Manuals for information on booting install media on various Netgate hardware. For third party hardware, check with the OEM.
Once the device boots from the install media, the installer will launch automatically.
Specifying Boot Order in BIOS¶
If the target system will not boot from the USB memstick or CD, the most likely
reason is that the given device was not found early enough in the list of boot
media in the BIOS. Many newer motherboards support a one time boot menu invoked
by pressing a key during POST, commonly Esc
or F12
.
Failing that, change the boot order in the BIOS. First, power on the hardware and enter the BIOS setup. The boot order option is typically found under a Boot or Boot Priority heading, but it could be anywhere. If support for booting from a USB or optical drive is not enabled, or has a lower priority than booting from a hard drive containing another OS, the hardware will not boot from the installer media. Consult the motherboard manual for more detailed information on altering the boot order.
Installing to the Target Drive¶
Serial Console Terminal Type¶
For installations using a serial console connection, the first prompt will ask
for the terminal type to use for the installer. For PuTTY or GNU screen,
xterm
is the best type to use. The following terminal types can be used:
- ansi:
Generic terminal with color coding
- vt100:
Generic terminal without color, most basic/compatible option, select if no others work
- xterm:
X terminal window. For modern terminal clients such as GNU screen, PuTTY, SecureCRT, Tabby, and other similar clients the
xterm
choice is most likely to produce the best looking output.- cons25w:
FreeBSD console style terminal
The installer assumes cons25w
for VGA consoles.
Performing the Installation¶
The installer contents are the same for both console types. The following document walks through the installation process in its entirety.
pfSense Software Default Configuration¶
After installation and interface assignment, pfSense software has the following default configuration:
WAN is configured as an IPv4 DHCP client.
WAN is configured as an IPv6 DHCP client and will request a prefix delegation.
LAN is configured with a static IPv4 address of 192.168.1.1/24.
LAN is configured to use a delegated IPv6 address/prefix obtained by WAN (Track IPv6) if one is available.
All incoming connections to WAN are blocked by the firewall.
All outgoing connections from LAN are allowed by the firewall.
The firewall performs NAT on IPv4 traffic leaving WAN from the LAN subnet
The firewall will act as an IPv4 DHCP Server
The firewall will act as an IPv6 DHCPv6 Server if a prefix delegation was obtained on WAN, and also enables SLAAC
The DNS Resolver is enabled so the firewall can accept and respond to DNS queries.
SSH is disabled.
WebGUI is running on port 443 using HTTPS.
Default credentials are set as described in Default Username and Password.