Using the PHP Shell

Using the PHP developer shell on pfSense® software allows manipulation of the firewall configuration directly without using the GUI. Using this mechanism also allows rapid deployment of pfSense software and/or the setup of exotic configurations.

The shell can be started from console menu option 12 or from the CLI by executing pfSsh.php.

Example Session

The following shows an example session, with the text coming from the help command in the PHP shell.

Follow each line or group of lines to run with exec;:

*** Welcome to pfSense ***

 WAN (wan)       -> vmx0       -> v4/DHCP4:
                                  v6/DHCP6: 2001:db8::ffff:22d6/128
 LAN (lan)       -> vmx1       -> v4:
                                  v6/t6: 2001:db8:1:eee0:20c:29ff:fe45:260/60

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 12

Starting the pfSense developer shell....

Welcome to the pfSense developer shell

Type "help" to show common usage scenarios.

Available playback commands:
     changepassword disablecarp disabledhcpd disablereferercheck enableallowallwan enablecarp
     enablesshd externalconfiglocator generateguicert gitsync installpkg listpkg removepkgconfig
     removeshaper restartdhcpd restartipsec svc uninstallpkg

pfSense shell: help

     Enter a series of commands and then execute the set with "exec".

     For example:
     echo "foo"; // php command
     echo "foo2"; // php command
     ! echo "heh" # shell command

     Example commands:

     record <recordingfilename>

     parse_config(true);  # reloads the $config array

     $temp = print_r($config, true);

     /* to output a configuration array */

     /* to output the interfaces configuration portion of config.xml */

     /* to output the dhcp server configuration */

     /* to exit the  developer shell */

     /* to output supported wireless modes for an interface */

     /* to enable SSH */
     $config['system']['enablesshd'] = true;

     /* change OPTX to the OPT interface name such as BACKHAUL */
     $config['interfaces']['optx']['wireless']['standard'] = "11a";
     $config['interfaces']['optx']['wireless']['mode'] = "hostap";
     $config['interfaces']['optx']['wireless']['channel'] = "6";

     /* to enable dhcp server for an optx interface */
     $config['dhcpd']['optx']['enable'] = true;
     $config['dhcpd']['optx']['range']['from'] = "";
     $config['dhcpd']['optx']['range']['to'] = "";

     /* to disable the firewall filter */
     $config['system']['disablefilter'] = true;

     /* to enable an interface and configure it as a DHCP client */
     $config['interfaces']['optx']['disabled'] = false;
     $config['interfaces']['optx']['ipaddr'] = "dhcp";

     /* to enable an interface and set a static IPv4 address */
     $config['interfaces']['wan']['enable'] = true;
     $config['interfaces']['wan']['ipaddr'] = "";
     $config['interfaces']['wan']['subnet'] = "24";

     /* to save out the new configuration (config.xml) */

     /* to reboot the system after saving */

Playback Scripts

There are several pre-defined playback scripts for the PHP Shell that automate simple tasks or enable access to the GUI.

These scripts are run from within the PHP shell like so:

pfSense shell: playback scriptname


The PHP shell is not designed to run multiple playback scripts in a single session. After executing a playback script, exit the PHP shell and start it again. Otherwise subsequent scripts may fail to run. Alternately, run the playback scripts using the CLI method.

The scripts can also run from the command line:

# pfSsh.php playback scriptname


This must be run from an actual shell prompt over SSH or at the console. Do not attempt to run this through the GUI.


This script changes the password for a user, and also prompts to reset the account properties if it is disabled or expired.


This script can encrypt or decrypt configuration backups using the same method as doing so in the GUI when creating or restoring backups.

In either case, the script will prompt for the encryption passphrase. When decrypting, this passphrase must exactly match the passphrased used to encrypt the configuration file.


# pfSsh.php playback cryptconfig <action> <input filename> <output filename>

To encrypt a configuration file:

# pfSsh.php playback crypt encrypt /conf/config.xml /root/config-backup.xml

To decrypt a configuration file:

# pfSsh.php playback crypt decrypt /root/config-backup.xml /root/config.xml

disablecarp / enablecarp

These scripts disable and enable CARP high availability functions, and will deactivate CARP type Virtual IP addresses.

This action does not persist across reboots.

disablecarpmaint / enablecarpmaint

These scripts disable and enable CARP maintenance mode, which leaves CARP active but demotes this unit so the other node can assume control.

This maintenance mode will persist across reboots.


This script removes all DHCP configuration from the firewall, effectively disabling the DHCP service and completely removing all of its settings.


This script disables the HTTP_REFERER check mentioned in Browser HTTP_REFERER enforcement. This can help gain access to the GUI if a browser session is triggering this protection.


This script adds an allow all rule for IPv4 and IPv6 to the WAN interface.


Be extremely careful with this option, it is meant to be a temporary measure to gain access to services on the WAN interface of the firewall in situations where the LAN is not usable. Once proper access rules are put in place, remove the rules added by this script.


This script enables the SSH daemon, the same as the console menu option or GUI option.


This script looks for a config.xml file on an external device, such as a USB thumb drive, and will move it in place for use by the firewall.


This script prints the current gateway status and statistics. It also accepts an optional parameter brief which prints only the gateway name and status, omitting the addresses and statistical data.


This script creates a new self-signed certificate for the firewall and activates it for use in the GUI. This is useful in cases where the previous certificate is invalid or otherwise not usable. It fills in the certificate details using the firewall hostname and other custom information.


This complex script synchronizes the PHP and other script sources with files from the pfSense CE software Github repository. It is most useful on CE development snapshots to pick up changes from more recent commits.


This script can be dangerous to use in other circumstances. Only use this under the direction of a knowledgeable developer or support representative.


This script is not currently compatible with pfSense Plus software.

If the script is run without any parameters it prints a help message outlining its use. More information can be found at Using gitsync to Update pfSense® Software Between Snapshots.

installpkg / listpkg / uninstallpkg

These scripts interface with the package system in a similar way to the GUI. These are primarily used for debugging package issues, comparing information in config.xml compared to the package database.


This script recursively searches through pf anchors and prints any NAT or firewall rules it finds. This can help track down unexpected behavior in areas such as UPnP or Captive Portal which rely on rules in anchors that are not otherwise visible in the GUI.


This script prints the contents of all pf tables, which contain addresses used in firewall aliases as well as built-in system tables for features such as bogon network blocking, snort, and GUI/SSH lockout. This script is useful for checking if a specific IP address is found in any table, rather than searching individually.


This script removes all traces of package configuration data from the running config.xml. This can be useful if a package has corrupted settings or has otherwise left the packages in an inconsistent state.


This script removes ALTQ traffic shaper settings, which can be useful if the shaper configuration is preventing rules from loading or is otherwise incorrect and preventing proper operation of the firewall.


This script resets the GUI settings for widgets, dashboard columns, the theme, and other GUI-related settings. It can return the GUI, particularly the dashboard, to a stable state if it is not functioning properly.


This script disables and re-enables each WAN-type interface, which reapplies the interface configuration.


This script stops and restarts the DHCP daemon.


This script rewrites and reloads the IPsec configuration for strongSwan.


This script controls the services running on the firewall, similar to interacting with services at Status > Services.

The general form of the command is:

# pfSsh.php playback svc <action> <service name> [service-specific options]

The action can be stop, start, or restart.

The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes.

The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries.


Stop miniupnpd:

# pfSsh.php playback svc stop miniupnpd

Restart OpenVPN client with ID 2:

# pfSsh.php playback svc restart openvpn client 2

Start the Captive Portal process for zone “MyZone”:

# pfSsh.php playback svc start captiveportal MyZone


Runs the current configuration, or optionally an arbitrary configuration file, through the configuration upgrade process.

The general form of the command is:

# pfSsh.php playback upgradeconfig [<input filename> <output filename>]

To force the current running configuration through the upgrade process:

# pfSsh.php playback upgradeconfig

To run the configuration upgrade process on a different configuration file:

# pfSsh.php playback upgradeconfig /root/oldconfig.xml /root/newconfig.xml


Some configuration upgrade steps may contain a directive to write the configuration which may unintentionally replace the current running configuration with the copy being upgraded at that step. After running this script on an arbitrary file, visit the configuration history (Restoring from the Config History) and roll back to the correct configuration if it was replaced. The upgrade process does not apply settings, so no additional action should be necessary.

Recording and Playback

Aside from the predefined scripts, users may create their own playback scripts by recording sessions.

This can easily automate a number of commands to repeat them later, saving time and effort.

Recording a session

# pfSsh.php

pfSense shell: record resetrrd
Recording of resetrrd started.
pfSense shell: require_once("");
pfSense shell: require("");
pfSense shell: require_once("");
pfSense shell: ! rm /var/db/rrd/*.rrd
pfSense shell: enable_rrd_graphing();
pfSense shell: setup_gateways_monitor();
pfSense shell: stoprecording
Recording stopped.
pfSense shell: exit

Playing back a session

# pfSsh.php

pfSense shell: playback resetrrd

Playback of file resetrrd started.

pfSense shell: exit


The PHP shell is not designed to run multiple playback scripts in a single session. After executing a playback script, exit the PHP shell and start it again. Otherwise subsequent scripts may fail to run. Alternately, run the playback scripts using the CLI method.

Sessions can be played back directly from the command line as well:

# pfSsh.php playback resetrrd