Netgate is offering COVID-19 aid for pfSense software users, learn more.

Console Menu Basics

Basic configuration and maintenance tasks can be performed from the pfSense® system console. The console is available using a keyboard and monitor, serial console, or by using SSH. Access methods vary depending on hardware. Below is an example of what the console menu will look like, but it may vary slightly depending on the version and platform:

*** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on pfsense ***

WAN (wan)       -> vmx0       -> v4/DHCP4:
                                 v6/DHCP6: 2001:db8::20c:29ff:fe78:6e4e/64
LAN (lan)       -> vmx1       -> v4:
                                 v6/t6: 2001:db8:1:eea0:20c:29ff:fe78:6e58/64

0) Logout (SSH only)                  9) pfTop
1) Assign Interfaces                 10) Filter Logs
2) Set interface(s) IP address       11) Restart webConfigurator
3) Reset webConfigurator password    12) PHP shell + pfSense tools
4) Reset to factory defaults         13) Update from console
5) Reboot system                     14) Disable Secure Shell (sshd)
6) Halt system                       15) Restore recent configuration
7) Ping host                         16) Restart PHP-FPM
8) Shell

1) Assign Interfaces

This option restarts the Interface Assignment task, which is covered in detail in Assign Interfaces and Manually Assigning Interfaces. This menu option can create VLAN interfaces, reassign existing interfaces, or assign new ones.

2) Set interface(s) IP address

The script to set an interface IP address can set WAN, LAN, or OPT interface IP addresses, but there are also other useful features of this script:

  • The firewall prompts to enable or disable DHCP service for an interface, and to set the DHCP IP address range if it is enabled.

  • If the firewall GUI is configured for HTTPS, the menu prompts to switch to HTTP. This helps in cases when the SSL configuration is not functioning properly.

  • If the anti-lockout rule on LAN has been disabled, the script enables the anti-lockout rule in case the user has been locked out of the GUI.

3) Reset webConfigurator password

This menu option invokes a script to reset the admin account password and status. The password is reset to the default value of pfsense.

The script also takes a few other actions to help regain entry to the firewall:

  • If the GUI authentication source is set to a remote server such as RADIUS or LDAP, it prompts to return the authentication source to the Local Database.

  • If the admin account has been removed, the script re-creates the account.

  • If the admin account is disabled, the script re-enables the account.

4) Reset to factory defaults

This menu choice restores the system configuration to factory defaults. It will also attempt to remove any installed packages.


This action will not make any other changes to the filesystem. If system files have been corrupted or altered in an undesirable way, the best practice is to make a backup, and reinstall from installation media.

This action is also available in WebGUI at Diagnostics > Factory Defaults

5) Reboot system

This menu choice will cleanly shutdown the pfSense firewall and restart the operating system.

A few advanced options may also be displayed on this page, depending on hardware support:

Reboot normally

Performs a normal reboot in the traditional way.


This option does not perform a full reboot, but a “reroot” style boot. All running processes are killed, all filesystems are remounted, and then the system startup sequence is run again. This type of restart is much faster as it does not reset the hardware, reload the kernel, or need to go through the hardware detection process.

Reboot into Single User Mode

This will restart the firewall into single user mode for diagnostic purposes. The firewall cannot automatically recover from this state, console access is required to use single user mode and reboot the firewall. This menu option is not available on SG-1000.


In single user mode, the root filesystem defaults to read-only and other filesystems are not mounted. The firewall also does not have an active network connection. This option must only be used under the guidance of a support representative or a FreeBSD user with advanced knowledge.

Reboot and run a filesystem check

This reboots the firewall and forces a filesystem check using fsck, run five times. This operation can typically correct issues with the filesystem on the firewall. This menu option is not available on SG-1000.


The single user mode and filesystem check options require an uppercase letter to be entered to confirm the action. This is necessary to avoid activating the options accidentally. The reboot and reroot options may be entered in upper or lower case.

This action is also available in WebGUI at Diagnostics > Reboot

6) Halt system

This menu choice cleanly shuts down the firewall and either halts or powers off, depending on hardware support.


We strongly discourage cutting power from a running system. Halting before removing power is always the safest choice.

This action is also available in WebGUI at Diagnostics > Halt System

7) Ping host

This menu option runs a script which attempts to contact a host to confirm if it is reachable through a connected network. The script prompts the user for an IP address, and then it sends that target host three ICMP echo requests.

The script displays output from the test, including the number of packets received, sequence numbers, response times, and packet loss percentage.

The script uses ping when given an IPv4 address or a hostname, and ping6 when given an IPv6 address.

8) Shell

This menu choice starts a command line shell. A shell is very useful and very powerful, but also has the potential to be very dangerous.


The majority of pfSense users do not need to touch the shell, or even know it exists.

Complex configuration tasks may require working in the shell, and some troubleshooting tasks are easier to accomplish from the shell, but there is always a chance of causing irreparable harm to the system.

Veteran FreeBSD users may feel slightly at home there, but there are many commands which are not present on a pfSense system since unnecessary parts of the OS are removed for security and size constraints.

A shell started in this manner uses tcsh, and the only other shell available is sh . While it is possible to install other shells for the convenience of users, we do not recommend or support using other shells.

9) pfTop

This menu option invokes pftop which displays a real-time view of the firewall states, and the amount of data they have sent and received. It can help pinpoint sessions currently using large amounts of bandwidth, and may also help diagnose other network connection issues.

See also

See Viewing States with pfTop for more information on how to use pfTop.

10) Filter Logs

The Filter Logs menu option displays firewall log entries in real-time, in their raw form. The raw logs contain much more information per line than the log view in the WebGUI (Status > System Logs, Firewall tab), but not all of this information is easy to read.


For a simplified console view of the logs in real time with low detail, use this shell command:

clog -f /var/log/filter.log | filterparser.php

11) Restart webConfigurator

Restarting the webConfigurator will restart the system process that runs the WebGUI (nginx). In extremely rare cases the process may have stopped, and restarting it will restore access to the GUI.

If the GUI is not responding and this option does not restore access, invoke menu option 16 to Restart PHP-FPM after using this menu option.

12) PHP shell + pfSense tools

The PHP shell is a powerful utility that executes PHP code in the context of the running system. As with the normal shell, it is also potentially dangerous to use. This is primarily used by developers and experienced users who are intimately familiar with both PHP and the pfSense code base.

Playback Scripts

There are several playback scripts for the PHP Shell that automate simple tasks or enable access to the GUI.

These scripts are run from within the PHP shell like so:

pfSense shell: playback scriptname

They may also be run from the command line:

# pfSsh.php playback scriptname


This script changes the password for a user, and also prompts to reset the account properties if it is disabled or expired.

disablecarp / enablecarp

These scripts disable and enable CARP high availability functions, and will deactivate CARP type Virtual IP addresses. This action does not persist across reboots.

disablecarpmaint / enablecarpmaint

These scripts disable and enable CARP maintenance mode, which leaves CARP active but demotes this unit so the other node can assume control. This maintenance mode will persist across reboots.


This script removes all DHCP configuration from the firewall, effectively disabling the DHCP service and completely removing all of its settings.


This script disables the HTTP_REFERER check mentioned in Browser HTTP_REFERER enforcement. This can help gain access to the GUI if a browser session is triggering this protection.


This script adds an allow all rule for IPv4 and IPv6 to the WAN interface.


Be extremely careful with this option, it is meant to be a temporary measure to gain access to services on the WAN interface of the firewall in situations where the LAN is not usable. Once proper access rules are put in place, remove the rules added by this script.


This script enables the SSH daemon, the same as the console menu option or GUI option.


This script will look for a config.xml file on an external device, such as a USB thumb drive, and will move it in place for use by the firewall.


This script prints the current gateway status and statistics. It also accepts an optional parameter brief which prints only the gateway name and status, omitting the addresses and statistical data.


This script creates a new self-signed certificate for the firewall and activates it for use in the GUI. This is useful in cases where the previous certificate is invalid or otherwise not usable. It also fills in the certificate details using the firewall hostname and other custom information, to better identify the host.


This complex script synchronizes the PHP and other script sources with files from the pfSense github repository. It is most useful on development snapshots to pick up changes from more recent commits.


This script can be dangerous to use in other circumstances. Only use this under the direction of a knowledgeable developer or support representative.

If the script is run without any parameters it will print a help message outlining its use. More information can be found at Using gitsync to Update pfSense Between Snapshots.

installpkg / listpkg / uninstallpkg

These scripts interface with the pfSense package system in a similar way to the GUI. These are primarily used for debugging package issues, comparing information in config.xml compared to the package database.


This script recursively searches through pf anchors and prints any NAT or firewall rules it finds. This can help track down unexpected behavior in areas such as the relayd load balancer which rely on rules in anchors that are not otherwise visible in the GUI.


This script prints the contents of all pf tables, which contain addresses used in firewall aliases as well as built-in system tables for features such as bogon network blocking, snort, and GUI/SSH lockout. This script is useful for checking if a specific IP address is found in any table, rather than searching individually.


This script removes all traces of package configuration data from the running config.xml. This can be useful if a package has corrupted settings or has otherwise left the packages in an inconsistent state.


This script removes ALTQ traffic shaper settings, which can be useful if the shaper configuration is preventing rules from loading or is otherwise incorrect and preventing proper operation of the firewall.


This script resets the GUI settings for widgets, dashboard columns, the theme, and other GUI-related settings. It can return the GUI, particularly the dashboard, to a stable state if it is not functioning properly.


This script stops and restarts the DHCP daemon.


This script rewrites and reloads the IPsec configuration for strongSwan.


This script gives control over the services running on the firewall, similar to interacting with services at Status > Services.

The general form of the command is:

playback svc <action> <service name> [service-specific options]

The action can be stop, start, or restart.

The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes.

The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries.


  • Stop miniupnpd:

pfSsh.php playback svc stop miniupnpd
  • Restart OpenVPN client with ID 2:

pfSsh.php playback svc restart openvpn client 2
  • Start the Captive Poral process for zone “MyZone”:

pfSsh.php playback svc start captiveportal MyZone

13) Upgrade from console

This menu option runs the pfSense-upgrade script to upgrade the firewall to the latest available version. This is operationally identical to running an upgrade from the GUI and requires a working network connection to reach the update server.

This method of upgrading is covered with more detail in Upgrading using the Console.

14) Enable/Disable Secure Shell (sshd)

This option toggles the status of the Secure Shell Daemon, sshd. This option works the same as the option in the WebGUI to enable or disable SSH, but is accessible from the console.

15) Restore recent configuration

This menu option starts a script that lists and restores backups from the configuration history. This is similar to accessing the configuration history from the GUI at Diagnostics > Backup/Restore on the Config History tab.

This script can display the last few configuration files, along with a timestamp and description of the change made in the configuration, the user and IP address that made the change, and the config revision. This is especially useful if a recent configuration error accidentally removed access to the GUI.

16) Restart PHP-FPM

This menu option stops and restarts the daemon which handles PHP processes for nginx. If the GUI web server process is running but unable to execute PHP scripts, invoke this option. Run this option in conjunction with Restart webConfigurator for the best result.