General Configuration Options

System > General Setup contains basic configuration options for pfSense® software. A few of these options are also found in the Setup Wizard.

Hostname:

The Hostname is the short name for this firewall, such as firewall1, hq-fw, or site1. The name must start with a letter and it may contain only letters, numbers, or a hyphen.

Domain:

The Domain name for this firewall, e.g. example.com . If this network does not have a domain, use <something>.home.arpa, where <something> is another identifier: a company name, last name, nickname, etc. For example, company.home.arpa

The Hostname and Domain name are combined to make up the Fully Qualified Domain Name (FQDN) of this firewall. For example, if the Hostname is fw1 and the Domain is example.com, then the FQDN is fw1.example.com.

DNS Server Settings

Options in this section control how the firewall resolves hostnames using DNS.

Note

The DNS Resolver is active by default and uses resolver mode (DNS Resolver Mode). When set this way the DNS Resolver does not need forwarding DNS servers as it will communicate directly with root DNS servers and other authoritative DNS servers.

To use the servers in this list, switch the DNS resolver to forwarding mode. The DNS Forwarder (DNS Forwarder) only supports forwarding mode and will always use the servers from this list.

DNS Servers

This page supports multiple DNS servers managed as a list. To add more DNS servers, click fa-plus Add DNS Server. To remove an entry from the list click fa-trash-can Delete.

The DNS server list may be left blank if the DNS Resolver is active in its default resolver mode. If this firewall has a dynamic WAN type such as DHCP or PPPoE these servers may be automatically assigned by the ISP and can also be left blank.

Each DNS server entry has the following properties:

Address:

The IP address of the DNS Server.

Hostname:

The FQDN of the DNS server, used to validate DNS server certificates when using DNS over TLS (DNS Resolver Configuration).

Gateway:

The gateway through which the firewall will reach this DNS server.

This is useful in a Multi-WAN scenario where, ideally, the firewall will have at least one DNS server configured per WAN. More information on DNS for Multi-WAN can be found in DNS Forwarding and Static Routes.

DNS Resolution Behavior

These options fine tune the way the firewall utilizes DNS servers.

DNS Server Override:

When checked, a dynamic WAN ISP can supply DNS servers which override those set manually. To force the use of only the DNS servers on this page, uncheck this option. This does not apply to the DNS Resolver when acting in resolver mode.

DNS Resolution Behavior:

This option controls how the firewall itself resolves DNS queries.

Use Local DNS (127.0.0.1), fall back to remote DNS Servers (Default):

By default, the firewall will consult the DNS Resolver or DNS Forwarder running on this firewall to resolve hostnames for itself. It does this by listing localhost (127.0.0.1) as its first DNS server internally. If the local DNS server is unreachable, the firewall will send queries directly to the DNS servers configured on this page, or those received from dynamic WANs.

This method gives the firewall the best chance of having working DNS.

Use Local DNS (127.0.0.1), ignore remote DNS Servers:

Like the option above, this option will make the firewall use its own DNS Resolver or DNS Forwarder to resolve hostnames. However, it will not attempt to use any other server.

This option is more secure as it forces DNS to be resolved using the configuration on the DNS Resolver or DNS Forwarder, which may have special requirements restricting or redirecting name resolution. For example, if the DNS Resolver is configured for DNS over TLS, using this option ensures that the firewall will not send queries to DNS servers without using TLS.

Use remote DNS Servers, ignore local DNS:

This option forces the firewall to use the DNS servers configured on this page or from dynamic WANs and it will not utilize the local DNS Resolver or DNS Forwarder.

This option is useful when the local DNS service is configured in a strict manner to control client behavior, but the firewall still needs unrestricted access to DNS for tasks such as updates and installing packages.

Localization

Options in this section control the firewall clock and language.

Time Zone:

The time zone used by the firewall for its clock. Choose a geographically named zone which best matches location of this firewall, or a common zone such as UTC. The firewall clock, log entries, and other areas of the firewall base their time on this zone.

Note

Changing the zone requires a reboot to fully activate the new zone in all areas of the firewall.

Tip

Avoid using the GMT +/- zones as they do not operate in an intuitive manner. See Troubleshooting Time Zone Configuration for more information.

Time Servers:

Network Time Protocol (NTP) server hostnames or IP addresses. Unless a specific NTP server is required, such as one on LAN, the best practice is to leave the Time Servers value at the default 2.pfsense.pool.ntp.org. This value will pick random servers from a pool of known-good IPv4 and IPv6 NTP hosts.

To utilize multiple time servers or pools, add them in the same box, separating each entry by a space. For example, to use three NTP servers from the pool, enter:

0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org

This numbering is specific to how .pool.ntp.org operates and ensures each address is drawn from a unique pool of NTP servers so the same server does not get used twice.

Language:

The language used by the GUI. The GUI has been translated into multiple languages in addition to the default English language.

webConfigurator

Options in this section control various behaviors of the web-based GUI, which can be referred to as the GUI, WebGUI, or webConfigurator.

Theme:

The Theme controls the look and feel of the GUI. Several themes are included in the base system, and they only make cosmetic not functional changes to the GUI.

Top Navigation:

This option controls the behavior of the menu bar at the top of each page. There are two possible choices:

Scrolls with page:

The default behavior. When the page scrolls, the navigation remains at the top of the page, so it is no longer visible as it scrolls off the top of the window.

This is the best option for most situations.

Fixed:

When selected, the navigation remains fixed at the top of the window, always visible and available for use.

This behavior can be convenient, but can be problematic on smaller screens such as tablets and mobile devices. On low resolution browsers long menus can be cut off, leaving options at the bottom unreachable.

Hostname in Menu:

Chooses if and how the GUI includes the firewall hostname in the menu. This can aid in quickly identifying a firewall when managing multiple firewalls in separate tabs or windows, but it consumes extra space in the menu.

Default (No hostname):

The GUI does not display the hostname or FQDN in the menu.

Hostname Only:

When set, the GUI includes the firewall Hostname (no domain name) in the menu.

If all firewalls are in the same domain, or if they have unique hostnames, this may be sufficient.

Fully Qualified Domain Name:

When set, the GUI includes the Fully Qualified Domain Name of the firewall in the menu.

This takes more space than displaying the hostname portion alone, but may be necessary to properly distinguish firewalls if they use similar hostnames in multiple domains.

Dashboard Columns:

The dashboard is limited to 2 columns by default. On wider displays, additional columns can utilize extra horizontal screen space. The maximum number of columns is 4.

Interfaces Sort:

When unset (default), the GUI presents interfaces in their natural order from the configuration. This is critical for functions such as High Availability which require specific interface ordering. When this option is set, the GUI sorts the interface list alphabetically.

Associated Panels Show/Hide:

A few GUI pages contain collapsible panels with settings or functions. These panels take up extra screen space so they are hidden by default. For firewall administrators who use the panels frequently, this can be slow and inefficient. The options in this group make the GUI show these panels by default instead of hiding them.

Available Widgets:

Controls the Available Widgets panel on the Dashboard.

Log Filter:

Controls the log filtering (fa-filter) panel used for searching log entries under Status > System Logs.

Manage Log:

Controls the per-log settings in the Manage Log (fa-wrench) panel available for each log under Status > System Logs.

Monitoring Settings:

Controls the options panel used to change the graphs at Status > Monitoring.

Require State Filter:

When set, the state table contents at Diagnostics > States are suppressed by the GUI unless a filter string is present. This helps the GUI handle large state tables which otherwise may fail to load.

Left Column Labels:

When checked, the option labels in the left column are set to toggle options when clicked. This can be convenient if the firewall administrator is used to the behavior, but it can also be problematic on mobile or in cases when the behavior is unexpected.

Alias Popups:

When set, the tooltip presented by the GUI when hovering over an alias in a rule list only shows the alias description. When unset, the contents of the alias are included in the tooltip. For firewalls with large aliases, this may cause performance or browser rendering issues.

Disable Dragging:

When set, the GUI disables drag-and-drop on rule lists. Most users find drag-and-drop to be convenient and beneficial, thus the feature is enabled by default. Users who find the behavior undesirable can set this option.

Login Page Color:

Controls the color of the login page, which is independent of the theme.

Login Hostname:

When set, the GUI includes the hostname on the login form.

Warning

This can be considered a security risk since it exposes information about the firewall to users who have not yet authenticated. If the firewall GUI is only reachable by authorized management clients, the convenience may outweigh the potential risk.