pfSense Basic Configuration⌗
I recently restructured my Proxmox server so that all traffic incoming and outgoing, goes through a pfSense router. The main goal of this is to provided consistent IP addresses to all the virtual machines and containers running on the host. The general setup of pfSense went smoothly, for the most part.
If at any point you lose access to the dashboard becuase of the firewall rules, you can disable them temporarily by running
This setup assumes that the WAN interface (called vtnet0) receives a DHCP address from the local
network and the LAN network (called vtnet1) has the address
10.0.0.1/24. That is,
To install, just follow the setup steps choosing the default options. Once pfSense is installed and the dashboard can be accessed, the setup can continue again
After the install run the
pfctl -d command to ensure access to the dashboard on WAN. Once this is
down you can access the dashboard in your browser at
http://<dhcp-wan-address>. This will land you
on the setup wizard of pfSense.
Wizard / pfSense Setup / General Information⌗
- Hostname [pfsense]
- Domain [localdomain]
- Primary DNS [184.108.40.206]
- Secondary DNS [220.127.116.11]
- Override DNS [true]
Wizard / pfSense Setup / Configure WAN Interface⌗
- Selected Type [dhcp]
- Block RFC1918 Private Networks [false]
- Block bogon networks [false]
Leave all other values as they are
Wizard / pfSense Setup / Configure LAN Interface⌗
- LAN IP Address [10.0.0.1]
- Subnet Mask 
Wizard / pfSense Setup / Set Admin WebGUI Password⌗
Be sensible. Make sure you set a strong password
The firewall is where things get interesting. If this is misconfigured, you can easily manage to lock yourself out of the dashboard and prevent any clients from accessing the internet.
Firewall / Aliases / Ports⌗
To make some of the other setup easier, we can define an alias for the pfSense admin ports. This means that when creating rules, the alias can be used instead of individual ports.
Create an alias called
pfsense_admin with the following ports attached to it:
- 8080 (pfSense dashboard)
- 2222 (pfSense SSH)
Firewall / Rules / WAN⌗
We need to create a rule which will allow access to the dashboard from the WAN network. Normally this is blocked but as the WAN network is the normal home network we can allow it.
Create a new rule with the following:
- Action [Pass]
- Interface [WAN]
- Source [any]
- Destination [This firewall (self)]
- Destination Port Range
- From [other]
- Custom [pfsense_admin]
- To [other]
- Custom [pfsense_admin]
Now that this rule has been added we can go about changing the port which the pfSense web GUI runs on
System / Advanced / Admin Access⌗
- Protocol [https]
- TCP Port 
- Secure Shell Server [true]
- SSHd Key Only [Password or Public Key]
- SSH Port 
This will tell pfSense to run the web gui on port 8080 and allow SSH access on port 2222. All the other settings here can be left alone.
Static IP Leases⌗
It can be useful to ensure that a host always has the same IP address. The easiest wasy to do this is to first connect the host to the pfSense network. This wasy pfSense will assign it a dynamic IP address, meaning it shows up in the DHCP leases section of the dashboard (found at ‘Status / DHCP Leases').
Once on this dashboard, there should be a small plus icon on the far right on the DHCP entry. Clicking this will redirect you to a page where you can edit the static address for the host. The advantage of this is that it auto fills the client MAC address field and the hostname. From here you can set the IP address (must be in the range 10.0.0.10 to 10.0.0.245). Additionally, you can specify a description to be shown next to the mapping.