Netgate is offering COVID-19 aid for pfSense software users, learn more.
Perform the Installation¶
This section describes the process of installing pfSense® software to a target drive, such as an SSD or HDD. In a nutshell, this involves booting from the installation memstick or CD/DVD disc and then completing the installer.
If the installer encounters an error while trying to boot or install from the installation media, see Troubleshooting Installation Issues.
The following items are requirements to run the installer:
Virtual environments may have additional requirements, see the following documents for examples:
pfSense Hangouts on Youtube also covers a variety of relevant topics.
Booting the Install Media¶
For USB memstick installations, insert the USB memstick and then power on the target system. The BIOS may require the disk to be inserted before the hardware boots.
For CD/DVD installations, power on the hardware then place the CD into an optical drive.
pfSense will begin to boot and will launch the installer automatically.
Specifying Boot Order in BIOS¶
If the target system will not boot from the USB memstick or CD, the most likely
reason is that the given device was not found early enough in the list of boot
media in the BIOS. Many newer motherboards support a one time boot menu invoked
by pressing a key during POST, commonly
Failing that, change the boot order in the BIOS. First, power on the hardware and enter the BIOS setup. The boot order option is typically found under a Boot or Boot Priority heading, but it could be anywhere. If support for booting from a USB or optical drive is not enabled, or has a lower priority than booting from a hard drive containing another OS, the hardware will not boot from the installer media. Consult the motherboard manual for more detailed information on altering the boot order.
Installing to the Hard Drive¶
For USB memsticks with a serial console connection, the first prompt will ask
for the terminal type to use for the installer. For PuTTY or GNU screen,
xterm is the best type to use. The following terminal types can be used:
Generic terminal with color coding
Generic terminal without color, most basic/compatible option, select if no others work
X terminal window. Compatible with most modern clients (e.g. PuTTY, screen)
FreeBSD console style terminal
For VGA consoles,
cons25w is assumed by the installer.
To accept all of the defaults and use a typical installation, press
Enter at each prompt until the installer finishes.
Once the installer launches, navigating its screens is fairly intuitive, and works as follows:
To select items, use the arrow keys to move the selection focus until the desired item is highlighted.
For installer screens containing a list, use the
downarrow keys to highlight entries in the list. Use the
rightarrow keys to highlight the actions at the bottom of the screen such as Select and Cancel.
Enterselects an option and activates the action associated with that option.
Starting the Installer¶
First, the installer prompts to launch the Install process or a Rescue
Shell. To continue installing, press
Enter while Install is selected.
The Rescue Shell option starts a basic shell prompt where advanced users can
perform tasks to prepare the system in ways not fully supported by the
installer, or to perform diagnostic tests or repairs on the firewall.
The Keymap Selection screen is next. For the majority of users with a
standard PC keyboard, press
Enter to select Continue with default
Keymap. If the keyboard used for the console has a different layout, find it
in the list and select it instead. After making a selection, return to the top
of the list and either choose Test or Continue.
Partition / Filesystem Selection¶
The Partitioning step selects the filesystem for the firewall’s target disk. In pfSense 2.3.x and before, the only option was UFS. The new ZFS filesystem type is more reliable and has more features than the older UFS format, however ZFS can be memory hungry. Either filesystem will work on hardware with several GB of RAM, but if RAM usage is critical to other tasks that will run on this firewall, UFS is a more conservative choice. For hardware that requires UEFI, use ZFS.
The process varies slightly depending on the selected filesystem type, so follow the section below that matches the filesystem type used by this firewall.
If installer cannot find any drives, or if it shows incorrect drives, it is possible that the desired drive is attached to an unsupported controller or a controller set for an unsupported mode in the BIOS. See Troubleshooting Installation Issues for help.
Select Auto (UFS)
Select the target disk where the installer will write out the pfSense software, e.g.
ada0. The installer will show each supported hard drive attached to the firewall, along with any supported RAID or gmirror volumes.
Select Entire Disk
Select Yes to confirm that the installer can overwrite the entire disk
Select the partition scheme to use for the disk:
The GUID partition table layout. Used by most modern x86 systems. May not function on older hardware/BIOS versions. Try this method first.
BSD Labels without an MBR, which used to be known as “dangerously dedicated mode”. This method should work on most hardware that cannot use GPT. This was the method used by older versions of pfSense software.
Select this only if GPT and BSD do not work on a specific piece of hardware.
The other choices are not relevant to hardware that is capable of running pfSense software.
Select Finish to accept the automatic partition layout chosen by the installer.
The partition sizes and such can be customized here, but we do not recommend taking that step. For nearly all installations, the default sizes are correct and optimal.
Select Commit to write the partition layout to the target disk.
Skip ahead to Continue with the Install.
Select Auto (ZFS)
Select Pool Type / Disks
Select the Virtual Device Type. ZFS supports multiple disks in various ways for redundancy and/or extra capacity. Though using multiple disks with ZFS is software RAID, it is quite reliable and better than using a single disk.
A single disk, or multiple disks added together to make one larger disk. For firewalls with a single target disk, this is the correct choice. (RAID 0)
Two or more disks that all contain the same content for redundancy. Can keep operating even if one disk dies. (RAID 1)
RAID 1+0, n x 2-way mirrors. A combination of stripes and mirrors, which gives redundancy and extra capacity. Can lose one disk from any pair at any time.
Single, Double, or Triple redundant RAID. Uses 1, 2, or 3 parity disks with a pool to give extra capacity and redundancy, so either one, two, or three disks can fail before a pool is compromised. Though similar to RAID 5 and 6, the RAIDZ design has significant differences.
Select the disks to use with the selected Virtual Device Type. Use the
downarrow keys to highlight a disk and
Spaceto select disks. Select a disk even if there is only one in the list. For mirrors or RAID types, select enough disks to fulfill the requirements for the chosen type.
Select OK with the
Choose an alternate Partition Scheme only if the default, GPT (BIOS) will not work. The possible choices include:
- GPT (BIOS)
The GUID partition table layout and BIOS booting. Used by most modern x86 systems. Try this method first.
- GPT (UEFI)
GPT with UEFI boot loader.
- GPT (BIOS+UEFI)
GPT with both BIOS and UEFI booting.
- MBR (BIOS)
Legacy MBR style partitions with BIOS booting.
- GPT + Active (BIOS)
GPT with the boot slice set active, with BIOS booting.
- GPT + Lenovo Fix (BIOS)
GPT with a Lenovo-specific boot fix.
Change the default swap size (optional) by selecting Swap Size and then entering a new value. Typically the optimal size is 2x the available RAM in the firewall, but with smaller disks that may be too much.
Leave the other options on the screen at their default values.
Move the selection back to Install and ensure Select is highlighted for the action at the bottom of the screen.
Select Yes to confirm the target disk selection, and to acknowledge that the contents of the target disk(s) will be destroyed.
Skip ahead to Continue with the Install.
Continue with the Install¶
Sit back, wait, and have a few sips of coffee while the installation process formats the drive(s) and copies pfSense files to the target disk(s).
Select No when prompted to make final modifications.
Select Reboot to restart the firewall
Remove the installation media from the firewall during the reboot, when the hardware is starting back up but before it boots from the disk.
Congratulations, the pfSense software installation is complete!
pfSense Default Configuration¶
After installation and interface assignment, pfSense has the following default configuration:
WAN is configured as an IPv4 DHCP client.
WAN is configured as an IPv6 DHCP client and will request a prefix delegation.
LAN is configured with a static IPv4 address of 192.168.1.1/24.
LAN is configured to use a delegated IPv6 address/prefix obtained by WAN (Track IPv6) if one is available.
All incoming connections to WAN are blocked by the firewall.
All outgoing connections from LAN are allowed by the firewall.
The firewall performs NAT on IPv4 traffic leaving WAN from the LAN subnet
The firewall will act as an IPv4 DHCP Server
The firewall will act as an IPv6 DHCPv6 Server if a prefix delegation was obtained on WAN, and also enables SLAAC
The DNS Resolver is enabled so the firewall can accept and respond to DNS queries.
SSH is disabled.
WebGUI is running on port 443 using HTTPS.
Default credentials are set to a username of