Console Menu Basics¶

Basic configuration and maintenance tasks can be performed from the pfSense® system console. The console is available using a keyboard and monitor, serial console, or by using SSH. Access methods vary depending on hardware. Below is an example of what the console menu will look like, but it may vary slightly depending on the version and platform:

WAN (wan)       -> vmx0       -> v4/DHCP4: 198.51.100.6/24
                                 v6/DHCP6: 2001:db8::20c:29ff:fe78:6e4e/64
LAN (lan)       -> vmx1       -> v4: 10.6.0.1/24
                                 v6/t6: 2001:db8:1:eea0:20c:29ff:fe78:6e58/64

0) Logout (SSH only)                  9) pfTop
1) Assign Interfaces                 10) Filter Logs
2) Set interface(s) IP address       11) Restart GUI
3) Reset admin account and password  12) PHP shell + pfSense tools
4) Reset to factory defaults         13) Update from console
5) Reboot system                     14) Disable Secure Shell (sshd)
6) Halt system                       15) Restore recent configuration
7) Ping host                         16) Restart PHP-FPM
8) Shell

First Connection Behavior ¶

On pfSense Plus software version 24.03 and later, during the first connection to the console or SSH after installation or resetting to factory defaults, the user is prompted to set a new password for the admin account.

This change is mandatory, however, it can also be performed in the GUI using the Setup Wizard, the User Password Manager, or the User Manager.

If the password has been changed in the GUI, press Ctrl-C to cancel the console password change prompt. The script will check the password again and if it has been changed, it will display the menu. If the password is still the default value, however, the user will be logged out.

1) Assign Interfaces ¶

This option restarts the Interface Assignment task, which is covered in detail in Assign Interfaces and Manually Assigning Interfaces. This menu option can create VLAN interfaces, reassign existing interfaces, or assign new ones.

2) Set interface(s) IP address ¶

The script to set an interface IP address can set WAN, LAN, or OPT interface IP addresses, but there are also other useful features of this script:

The firewall prompts to enable or disable DHCP service for an interface, and to set the DHCP IP address range if it is enabled.
If the firewall GUI is configured for HTTPS, the menu prompts to switch to HTTP. This helps in cases when the SSL configuration is not functioning properly.
If the anti-lockout rule on LAN has been disabled, the script enables the anti-lockout rule in case the user has been locked out of the GUI.

3) Reset admin account and password ¶

This menu option invokes a script to reset the admin account and password.

The script takes a few actions to help regain access to the admin account:

If the authentication source is set to a remote server such as RADIUS or LDAP, the script prompts to return the authentication source to the Local Database (User Manager).
If the admin account has been removed, the script re-creates the account.
If the admin account is disabled or expired, the script re-enables the account.

Once the admin account has been restored to a working state the script prompts to set and confirm a new password. This new password can then be used to login to the admin account in the GUI, console, or SSH (if enabled).

Tip

This option can be used to change the password for the admin from the console instead of using the GUI.

Note

On previous versions of pfSense software this option reset the password to a default value (Default Username and Password). This is no longer the case as the best practice is to avoid using default passwords.

4) Reset to factory defaults ¶

This menu choice restores the system configuration to factory defaults. It will also attempt to remove any installed packages.

This action is also available in WebGUI at Diagnostics > Factory Defaults.

See Resetting to Factory Defaults for more details about how this process works.

5) Reboot system ¶

This menu choice cleanly shuts down the firewall and restarts the operating system. There are several options which control what the firewall will do when rebooting. The choices offered by the reboot option are explained in Reboot Methods.

See also

This action is also available in WebGUI at Diagnostics > Reboot, see Rebooting the Firewall for details.

6) Halt system ¶

This menu choice cleanly shuts down the firewall and either halts or powers off, depending on hardware support.

Warning

The best practice is to never cut power from a running system. Halting before removing power is always the safest choice.

See also

This action is also available in WebGUI at Diagnostics > Halt System. See Halting and Powering Off the Firewall for additional details.

7) Ping host ¶

This menu option runs a script which attempts to contact a host to confirm if it is reachable by the firewall through a connected network. The script prompts the user for an IP address, and then the script sends that target host three ICMP echo requests.

The script displays output from the test, including the number of packets received, sequence numbers, response times, and packet loss percentage.

The script uses ping when given an IPv4 address or a hostname, and ping6 when given an IPv6 address.

This is only a basic ping test. For more options, see Ping Host to run a similar test from the GUI.

8) Shell ¶

This menu choice starts a command line shell.

Warning

A shell is very useful and very powerful, but also has the potential to be very dangerous.

Note

The majority of users do not need to touch the shell, or even know it exists.

Complex configuration tasks may require working in the shell, and some troubleshooting tasks are easier to accomplish from the shell, but there is always a chance of causing irreparable harm to the system.

Veteran FreeBSD users may feel slightly at home there, but there are many commands which are not present on pfSense software installations since unnecessary parts of the OS are removed for security and size constraints.

A shell started in this manner uses tcsh, and the only other shell available is sh . While it is possible to install other shells for the convenience of users, Netgate neither recommends nor supports using other shells.

9) pfTop ¶

This menu option invokes pftop which displays a real-time view of the firewall states, and the amount of data they have sent and received. It can help pinpoint sessions currently using large amounts of bandwidth, and may also help diagnose other network connection issues.

See also

See pfTop for more information on how to use pfTop.

10) Filter Logs ¶

The Filter Logs menu option displays firewall log entries in real-time, in their raw form. The raw logs contain much more information per line than the log view in the WebGUI (Status > System Logs, Firewall tab), but not all of this information is easy to read.

Tip

For a simplified console view of the firewall logs in real time with low detail, use the following shell command:

tail -F /var/log/filter.log | filterparser.php

11) Restart GUI ¶

Restarting the webConfigurator will restart the system process that runs the GUI (nginx). In extremely rare cases the process may have stopped, and restarting it will restore access to the GUI.

If the GUI is not responding and this option does not restore access, invoke menu option 16 to Restart PHP-FPM after using this menu option.

12) PHP shell + pfSense tools ¶

The PHP shell is a powerful utility that executes PHP code in the context of the running system. As with the normal shell, it is also potentially dangerous to use. This is primarily used by developers and experienced users who are intimately familiar with both PHP and the pfSense software code base.

See also

See Using the PHP Shell for additional details and a list of available playback scripts.

13) Upgrade from console ¶

This menu option runs the pfSense-upgrade script to upgrade the firewall to the latest available version. This is operationally identical to running an upgrade from the GUI and requires a working network connection to reach the update server.

This method of upgrading is covered with more detail in Upgrading using the Console.

14) Enable/Disable Secure Shell (sshd)¶

This option toggles the status of the Secure Shell Daemon, sshd. This option works the same as the option in the WebGUI to enable or disable SSH.

15) Restore recent configuration ¶

This menu option starts a script that lists and restores backups from the configuration history. This is similar to accessing the configuration history from the GUI at Diagnostics > Backup/Restore on the Config History tab (Configuration History).

This script can display the last few configuration files, along with a timestamp and description of the change made in the configuration, the user and IP address that made the change, and the config revision. This is especially useful if a recent configuration error accidentally prevented access to the GUI.

16) Restart PHP-FPM ¶

This menu option stops and restarts the daemon which handles PHP processes for nginx. If the GUI web server process is running but unable to execute PHP scripts, invoke this option. Run this option in conjunction with Restart webConfigurator for the best result.