Netgate is offering COVID-19 aid for pfSense software users, learn more.
To assign a new interface:
Navigate to Interfaces > Assignments
Pick the new interface from the Available network ports list
The newly assign interface will be shown in the list. The new interface will have a default name allocated by the firewall such as OPT1 or OPT2, with the number increasing based on its assignment order. The first two interfaces default to the names WAN and LAN but they can be renamed. These OPTx names appear under the Interfaces menu, such as Interfaces > OPT1. Selecting the menu option for the interface will open the configuration page for that interface.
The following options are available for all interface types.
The name of the interface. This will change the name of the interface on the Interfaces menu, on the tabs under Firewall > Rules, under Services > DHCP, and elsewhere throughout the GUI. Interface names may only contain letters, numbers and the only special character that is allowed is an underscore (“_”). Using a custom name makes it easier to remember the purpose of an interface and to identify an interface for adding firewall rules or choosing other per-interface functionality.
IPv4 Configuration Type¶
Configures the IPv4 settings for the interface. Details for this option are in the next section, IPv4 WAN Types.
IPv6 Configuration Type¶
Configures the IPv6 settings for the interface. Details for this option are in IPv6 WAN Types.
The MAC address of an interface can be changed (“spoofed”) to mimic a previous piece of equipment.
We recommend avoiding this practice. The old MAC would generally be cleared out by resetting the equipment to which this firewall connects, or by clearing the ARP table, or waiting for the old ARP entries to expire. It is a long-term solution to a temporary problem.
Spoofing the MAC address of the previous firewall can allow for a smooth transition from an old router to a new router, so that ARP caches on devices and upstream routers are not a concern. It can also be used to fool a piece of equipment into believing that it’s talking to the same device that it was talking to before, as in cases where a certain network router is using static ARP or otherwise filters based on MAC address. This is common on cable modems, where they may require the MAC address to be registered if it changes.
One downside to spoofing the MAC address is that unless the old piece of equipment is permanently retired, there is a risk of later having a MAC address conflict on the network, which can lead to connectivity problems. ARP cache problems tend to be very temporary, resolving automatically within minutes or by power cycling other equipment.
If the old MAC address must be restored, this option must be emptied out and then the firewall must be rebooted. Alternately, enter the original MAC address of the network card and save/apply, then empty the value again.
MTU (Maximum Transmission Unit)¶
The Maximum Transmission Unit (MTU) size field can typically be left blank, but can be changed when required. Some situations may call for a lower MTU to ensure packets are sized appropriately for an Internet connection. In most cases, the default assumed values for the WAN connection type will work properly. It can be increased for those using jumbo frames on their network.
On a typical Ethernet style network, the default value is 1500, but the actual value can vary depending on the interface configuration.
MSS (Maximum Segment Size)¶
Similar to the MTU field, the MSS field “clamps” the Maximum Segment Size (MSS) of TCP connections to the specified size in order to work around issues with Path MTU Discovery.
Speed and Duplex¶
The default value for link speed and duplex is to let the firewall decide what is best. That option typically defaults to Autoselect, which negotiates the best possible speed and duplex settings with the peer, typically a switch.
The speed and duplex setting on an interface must match the device to which it is connected. For example, when the firewall is set to Autoselect, the switch must also be configured for Autoselect. If the switch or other device has a specific speed and duplex forced, it must be matched by the firewall.
Block Private Networks¶
When Block private networks is active, pfSense® software inserts a rule
automatically that prevents any RFC 1918 networks (
192.168.0.0/16) and loopback (
communicating on that interface. This option is usually only desirable on WAN
type interfaces to prevent the possibility of privately numbered traffic coming
in over a public interface.
Block bogon networks¶
When Block bogon networks is active, pfSense software will block traffic from a list of unallocated and reserved networks. This list is periodically updated by the firewall automatically.
Now that the IPv4 space has all been assigned, this list is quite small, containing mostly networks that have been reserved in some way by IANA. These subnets should never be in active use on a network, especially one facing the Internet, so it’s a good practice to enable this option on WAN type interfaces. For IPv6, the list is quite large, containing sizable chunks of the possible IPv6 space that has yet to be allocated. On systems with low amounts of RAM, this list may be too large, or the default value of Firewall Maximum Table Entries may be too small. That value may be adjusted under System > Advanced on the Firewall & NAT tab.