How to Configure pfSense: The Ultimate Setup Guide for 2024 (2024)

From this page, you can configure how you access your system. Things like setting the port and protocol (HTTP / HTTPS) over which to access the GUI, enabling, disabling, and configuring SSH access, as well as configuring other parameters that affect access to your system.

The Firewall & NAT page enables you to configure basic firewall behavior. Things like enabling and disabling packet filtering are done here, as are enabling and disabling certain default firewall rules. You can also set the maximum number of states, table entries and fragment entries.

Below the firewall settings, you can configure NAT reflection and state timeouts.

The Networking menu allows you to enable, disable, and configure IPv6. You can also enable or disable hardware offloading from here.

This menu, as its name states, is a grouping of miscellaneous settings. Things like load balancing, power savings settings, cryptographic and thermal hardware settings, gateway monitoring, and RAM disk settings can be configured here.

The System Tunables menu enables you to modify a subset of system settings. It is not recommended to play with these settings unless you know what you’re doing.

The menu consists of a list of parameters that can be modified by clicking the pencil icon to the right of each parameter.

You can configure email and Growl notifications from here. You can also enable or disable the default startup / shutdown beep from here.

The CAs page lists all of the Certificate Authorities (CAs) configured on the system. This is also where you would create or import new CAs. You can also export CA certificates and keys, as well as delete unused CAs from the system.

The Certificates page lists all of the certificates that exist on the system. As with the CAs page, you can create, import, export (certificate & key), and delete certificates from here.

From here you can create certificate revocation lists for each of the configured CAs on your system. If no CAs are configured, this page will be empty.

The General Setup page enables you to configure general settings on your system. This means things like the hostname and domain, the DNS servers for the firewall itself, localization settings, and various configuration options for the web GUI, such as the theme, the number of columns displayed, etc.

This page enables you to configure HA Sync: syncing multiple firewalls together for stateful failover. You can configure state synchronization settings and configuration synchronization settings from here.

Clicking this menu logs you out of the GUI.

This page lists all of the optional packages you’ve installed to your system. You can update or delete packages from here.

This page lists the available packages and you can install them from here. The list excludes any packages already installed.

*The screenshot does not display the entire list of available packages.

The Gateways page lists all of the gateways on your system and provides detailed information on each of them. You can create and delete gateways from here, and edit them by clicking the pencil icon to the right of each one. You can also set the default gateway from here.

Static routes are defined to provide a route to networks that aren't directly attached to pfSense and that aren't reachable via the default gateway.

This page lists all of the static routes configured on your system. You can add, edit or delete static routes from here.

The Gateway Groups page lists all of the gateway groups configured on your system. A gateway group is a group of gateways that can be used as a single gateway in your firewall rules. Gateway groups can be used for failover or load balancing. You can create, edit, or delete gateway groups from this page.

This is a setup wizard for configuring pfSense for the first time. You can follow the on-screen instructions and you’ll end up with a basic working pfSense configuration.

This is where you perform operating system updates of pfSense.

The Update Settings page enables you to select your update branch (beta or stable). You can also disable the Dashboard auto-update check from here.

The Users page lists all of the user accounts configured on your system. You can add, remove, or edit users from here.

The Groups page lists the user groups configured on your system. You can add, remove, or edit groups from here.

From here, you can select your authentication server. The list is restricted to what is available on your system. By default, this is set to Local Database.

This is where you configure your authentication servers. Local Database is selected by default, but pfSense supports RADIUS and/or LDAP servers as well. You can add, remove, and edit your authentication servers from here.

This page lists all of the configured interfaces on your system, as well as the available interfaces that haven’t been configured yet. You can assign, edit, or delete interfaces from here.

Clicking an interface name from this menu takes you to that interface’s settings, where you can edit things like the interface’s IPv4 and IPv6 configuration and the speed and duplex settings (physical interfaces), among other things.

Interface groups consist of a subset of existing interfaces on the system, which are defined as a group. Interface groups are used to apply firewall and NAT rules to a set of interfaces.

Interface groups are configured from here.

pfSense also supports wireless interfaces. These are configured here.

VLANs enable a switch to carry multiple discrete broadcast domains, allowing a single switch to function as if it were multiple switches, by tagging the traffic on each of the switch’s configured ports.

VLANs are configured from here. A VLAN-capable switch is required.

QinQ (also referred to as IEEE 802.1ad) is a means of nesting VLAN tagged traffic inside of packets that are already VLAN tagged, or “double tagging” the traffic.

Point-to-Point Protocol (PPP) interfaces link two routers together directly without any host or any other networking in between and can provide connection authentication, transmission encryption, and compression.

There are four types of PPP interfaces:

• Plain PPP for 3G / 4G and modem devices


• PPPoE for DSL or similar connections


• PPTP and L2TP for ISPs that require them for authentication.

These are configured from here.

Generic Routing Encapsulation (GRE) is a method of tunneling traffic between two endpoints without encryption. It can be used to route packets between two locations that aren’t directly connected and which don’t require encryption. GRE supports both IPv4 and IPv6.

GRE interfaces are configured from here.

A Generic Tunneling Interface (GIF) is similar to GRE, in that it tunnels traffic between two hosts without encryption. However, GIF may be used to tunnel IPv6 over IPv4 networks and vice versa.

GIF interfaces are configured here.

A Bridge interface consists of two existing interfaces on the system that are bridged together. Bridging interfaces allows you to combine multiple interfaces onto a single broadcast domain, where two ports on the firewall will act as if they are on the same switch, except that traffic between the interfaces can be controlled with firewall rules.

Bridge interfaces are configured from here.

Link Aggregation (LAGG) combines multiple physical interfaces together as one logical interface, in order to increase throughput beyond what a single connection could sustain and to provide redundancy in case one of the links should fail. Link aggregation is handled by lagg(4) type interfaces (LAGG) in pfSense.

Link Aggregation can be configured here.

This page lists all of the IP aliases you defined on your system. Aliases define a group of ports, hosts, or networks that can be used in firewall rules, affecting the entire group. You can create, edit, or delete IP aliases from this page. You can also import lists of IP addresses by clicking the Import button.

This page lists all of the ports aliases you defined on your system. You can create, edit, or delete ports aliases from this page. You can also import lists of ports by clicking the Import button.

This page lists all of the URL aliases you defined on your system. URL aliases consist of URLs that link to a list of ports, hosts, or networks, that are imported and defined as an alias. You can create, edit, or delete URL aliases from this page.

This page lists all of the defined aliases on your system, regardless of type. You can create, edit, or delete aliases from this page. You can also import lists of IP addresses or ports by clicking the Import button.

From this page, you can configure port forwarding on your system, by creating rules that define the traffic to forward and where. You can create, edit, or delete port forwarding rules from here.

1:1 NAT maps a specified public IP address to a specified private IP address (or subnet). 1:1 NAT is typically used to allow access to an internal server with a private IP address, from the outside (internet). This can be configured from here.

This is where you can create, edit, or delete your outbound NAT rules. You can choose between Automatic, Hybrid, or Manual NAT rule generation.

Outbound NAT rules are applied from top to bottom. You can also disable outbound NAT altogether from here.

IPv6 Network Prefix Translation (NPt) is used to translate one IPv6 prefix to another. NPt works similarly to 1:1 NAT but over IPv6. NPt is configured from here.

The Firewall/Rules menu defaults to displaying the WAN rules.

Clicking an interface name from this menu takes you to that interface’s firewall rules.

All firewall rules in pfSense are applied from top to bottom. You can create, edit, or delete firewall rules for the selected interface from here.

Floating firewall rules affect multiple interfaces at once and are applied before interface firewall rules. All firewall rules in pfSense are applied from top to bottom. You can create, edit, or delete floating firewall rules from this page.

You can define schedules for firewall rules to be enabled and disabled and add the defined schedule(s) to the rules of your choice. You can create, edit, or delete schedules from here.

pfSense includes a built-in traffic shaper that can be defined by interface from this page. By selecting an interface from the displayed list, you can configure traffic shaping for the selected interface. pfSense supports two types of traffic shaping: ALTQ and limiters.

The ALTQ Traffic Shaper type works by creating traffic queues which it manages according to the defined parameters. All ALTQ traffic queues are displayed and can be edited here.

Limiting bandwidth for defined hosts is another way pfSense can perform traffic shaping. You can create, edit, or delete limiters from here.

pfSense includes a traffic shaping wizard. By following the on-screen instructions, pfSense will automatically configure traffic shaping for you. Bear in mind that the results are likely to require a bit of tweaking for optimal operation.

Virtual IP addresses are IP addresses that are not assigned to any physical interface on your system, but that are still routable by the firewall. Virtual IPs are typically used for network address translation, mobility, fault-tolerance and failover.

pfSense supports four types of virtual IP addresses:

• IP Alias


• CARP


• Proxy ARP


• Other

pfSense provides a free encrypted cloud backup tool that backs up your firewall configurations to Netgate servers. The service can be enabled, disabled, and configured from this page.

From this page, you can restore your system using one of your backed-up configurations.

You can perform a manual backup to Netgate’s servers from here.

A captive portal is software that forces users on the network to authenticate themselves before obtaining network/internet access. This authentication step occurs after a user has entered the WiFi password and has connected to the router, by redirecting their connection to an authentication HTML page. Once properly authenticated, network/internet access is granted. This is common in hotels, for example.

When a captive portal is running on a network segment (a subnet), it is referred to as a captive portal zone.

This page displays any captive portal zones you configured on your system. When you click Add to create one or when you edit an existing zone, the following pages are displayed.

This is where you set up your captive portal zone. You can configure things such as the interface on which it runs, authentication, accounting and the HTML page contents of the captive portal redirect page.

You can filter access to the captive portal (block or bypass the captive portal) as well as limit up and down bandwidth for specific clients, by MAC address, from here.

The Allowed IPs page works exactly like the MACs page, but it filters by IP address rather than by MAC address. You can filter access to the captive portal as well as limit up and down bandwidth for specific clients by IP address from here.

The Allowed Hostnames page works exactly like the Allowed IPs page, but it filters by hostname rather than by IP address. You can filter access to the captive portal as well as limit up and down bandwidth for specific clients, by hostname from here.

You can grant access to the captive portal by issuing time-based vouchers. These are generated from this page.

From this page, you can upload or delete assets to be used to create a custom captive portal HTML page.

From this page, you can configure the IPv4 DHCP Relay service for the selected interface. A DHCP Relay is used to allow a DHCP server on one segment of the network to provide IP addresses to clients on other network segments. Make sure that DHCP Server is disabled. DHCP Relay and DHCP Server cannot be used concurrently.

From this page, you can configure the IPv4 DHCP Server for the selected interface. Make sure that DHCP Relay is disabled. DHCP Relay and DHCP Server cannot be used concurrently.

From this page, you can configure the IPv6 DHCP Relay service for the selected interface. Make sure that DHCP Server is disabled. DHCP Relay and DHCP Server cannot be used concurrently.

From this page, you can configure the IPv6 DHCP Server for the selected interface. Make sure that DHCP Relay is disabled. DHCP Relay and DHCP Server cannot be used concurrently.

From this page, you can set your router advertisem*nts for the DHCPv6 server. For the DHCPv6 server to be active on the network, router advertisem*nts must be set to either Managed or Assisted mode here.

This page is where you can enable, disable, and configure the DNS Forwarder. The DNS Forwarder forwards your DNS requests to the DNS servers you configured in System / General Setup. You can also configure domain and host overrides for the DNS Forwarder from here.

The DNS Resolver in pfSense uses unbound, a validating, recursive, caching DNS resolver, and is favored over the DNS Forwarder. The DNS resolver can either query the root servers or be configured in forwarding mode and forward your requests to the DNS servers you configured in System / General Setup.

From this page, you can enable, disable, and configure the DNS Resolver. You can also configure domain and host overrides for the DNS Resolver from here.

As the name suggests, this is where you can further configure the DNS Resolver, using the advanced options.

You can configure access lists to filter access to the DNS Resolver from here. You can set the action (deny, refuse, allow, allow snoop, deny nonlocal, refuse nonlocal) and the networks to which the list applies.

Dynamic DNS enables you to reach your pfSense firewall from the internet by using a hostname rather than its IP address. The hostname always remains the same even if the underlying IP address changes. This can be useful for VPN access, for example.

From this page, you can enable, disable, and configure Dynamic DNS on your system. By selecting your dynamic DNS provider from the list, the options on the page are updated accordingly.

RFC 2136 Dynamic DNS registers a hostname on any DNS server supporting RFC 2136 style updates. These dynamic DNS clients can be configured here.

This page displays the IP address checking service used by Dynamic DNS. By default, dyndns.org is used. But you can disable it and add your own from here.

The IGMP Proxy enables you to proxy multicast traffic between network segments. This can be configured from this page.

pfSense natively supports server load balancing and failover, using relayd.

From this page, you can create load balancing/failover pools and define the web servers that are part of each pool.

The Virtual Servers page is where you define a public-facing IP address and port for the web server(s).

From here, you can configure the different monitors to be used by relayd. Many are already configured. You can add, edit, or delete monitors from here.

From here, you can configure a few additional settings, such as the timeout, interval, and prefork values.

The Services / NTP pages enable you to configure pfSense as a Network Time Protocol (NTP) server to synchronize the clocks of systems connected to the firewall.

From the Settings page, you can select the interfaces the NTP server will listen on and define the time servers used by your local NTP server, among other settings.

From this page, you can define access restrictions to your local NTP server.

You can use a GPS connected via a serial port as a reference clock for NTP. This is configured here.

You can use a device with a Pulse Per Second (PPS) output as a PPS reference for NTP. This is configured here.

pfSense can be used as a Point-to-Point Protocol over Ethernet (PPPoE) server and accept and authenticate connections from PPPoE clients on a local interface. This is configured here.

You can monitor your pfSense firewall using the Simple Network Management Protocol (SNMP). The SNMP service can be enabled, disabled, and configured from this page.

Universal Plug & Play (UPnP) and NAT Port Mapping Protocol (NAT-PMP) allow software and devices to configure each other for proper communication when attaching to a network. Both are natively supported by pfSense and are configured from this page. You can also configure an ACL (access control list) for UPnP from here.

Wake-on-LAN (WoL) is a service that can be used to remotely power-on computers on your network, by sending what is referred to as “magic packets”. The network card in the computer you want to power-on must support WoL and its BIOS must be configured for support as well.

From this page, you can dynamically power-on one of the computers on your network by entering its MAC address.

You can also add computers to the Wake-on-LAN Devices list (by MAC address) and turn them all on at once, using the Wake All Devices button.

This is where you can configure pfSense to act as an IPsec VPN server.

From the Tunnels page, you can create, edit, or delete IPsec tunnels. The Tunnels page displays any Phase 1 tunnels configured on your system and their associated Phase 2 tunnels.

This is where you enable/disable and configure IPsec mobile client support. From this page, you can configure things such as authentication sources, virtual IP addresses, and more.

This page displays your IPsec pre-shared keys (if any). From here, you can create, edit, or delete your IPsec pre-shared keys.

From this page, you can set up miscellaneous IPsec options, such as IP compression and strict interface binding, among other settings.

L2TP is a tunneling protocol which is used in conjunction with IPsec (IKEv1), in the L2TP/IPsec VPN protocol. L2TP does not provide encryption in itself. IPsec encrypts the the packets transiting through the L2TP tunnel in L2TP/IPsec.

From this page, you can enable, disable, and configure L2TP.

This page lists all of your L2TP users. You can create, edit, and delete L2TP users from here.

The Servers page is where you can create and configure a local OpenVPN server. You can also delete OpenVPN servers from here.

The Clients page is where you can create and configure a local OpenVPN client. You can also delete OpenVPN clients from here.

From here you can override some OpenVPN settings by enabling some of the available options in the GUI or by adding additional OpenVPN directives that apply to a specific user of one of your configured OpenVPN servers. An example would be to assign a specific IP address to a user (ifconfig-push 10.10.0.10).

pfSense includes an OpenVPN server wizard. By following the on-screen instructions, pfSense will automatically configure an OpenVPN server for you.

The Captive Portal Status page displays all of the active users of your Captive Portal Zones.

The Cache Array Routing Protocol (CARP) enables you to create virtual IP addresses to be used to set up High Availability Sync in pfSense.

The CARP Status page displays the current status of all configured CARP virtual IP addresses. You can also enable and disable CARP from here.

The DHCP Leases Status page displays all of your IPv4 DHCP leases and their status (active, expired, static).

The DHCPv6 Leases Status page displays all of your DHCPv6 leases and their status (active, expired, static).

The DNS Resolver Status page lists caching statistics for each configured DNS server on the System / General Setup page.

This page shows the status of the last filter reload request and enables you to force reload the packet filter, by clicking the Reload Filter button.

The Gateways Status page lists all of your configured gateways and provides high-level statistics for each one.

The Gateways Groups Status page lists all of your configured gateway groups and lists the tier of each member of the gateway group.

This page lists all of the configured interfaces on your system and displays high-level information for each one.

The Overview page lists all active IPsec connections and provides high-level information on each connection. It also displays information on each connection’s child security association (SA) entries.

This page lists the active IPsec leases.

The Security Association Databases (SADs) page lists all active IPsec security associations.

The Security Policies Databases (SPDs) Status page displays all active IPsec security policies.

The Load Balancer / Pools page lists your existing load balancing / failover pools and displays high-level information on them.

The Load Balancer / Virtual Servers page lists your existing virtual servers (public IP and port) and displays high-level information on them.

The Monitoring Status page allows you to create a custom graph to monitor your system using the provided metrics, such as bandwidth used, CPU usage, firewall states, etc. Once you have selected your parameters, click Update Graphs and your custom graph is displayed with a data summary below.

This page displays information on the NTP servers used by your system.

The OpenVPN Status page lists all of the active OpenVPN client connections to local and remote OpenVPN servers.

Certain optional packages’ logs can be viewed from this page. No native pfSense logs are displayed here.

The Queues Status page lists information about your active traffic shaping queues. The queue graphs sample data at regular intervals.

This page displays the status of the various services configured on your firewall. You can also stop or restart each service, as well as a few other options, according to the service.

This is where you can view the various native logs produced by pfSense. The logs are organized by service. Some sections may be empty depending on your configuration and the services you’re running.

There is also a Settings page within the System Logs page. From the Settings page, you can configure things like log rotation, enable or disable logging of certain default firewall rules, and configure pfSense to log to a remote Syslog server.

From the Traffic Graph Status page, you can create a real-time graph for any configured interface on your system. You can display bandwidth in or bandwidth out data and set a few other additional options.

This page displays the list of currently active UPnP port forwards.

The Address Resolution Protocol (ARP) Table page displays all of the ARP entries configured on the system, listing the IP & MAC addresses, along with the status and link type for each one.

You can also delete ARP entries from here.

The Authentication Diagnostics page allows you to perform authentication tests on any of your configured authentication servers. Select an authentication server and enter a username and password to perform an authentication test.

From this page, you can perform a manual local backup or restore of your pfSense configuration. You can also choose to only reinstall the additional packages listed in your configuration when performing a restore.

pfSense automatically creates a backup of its configuration file every time a change is made in the GUI. The Config History page lists the last 30 configuration backups and displays the action that triggered the backup.

You can restore any of the saved configurations from here, as well as download, or delete a saved configuration file. You may need to reboot your system for the restored configuration to take effect.

From the Command Prompt page, you can execute a shell command, upload or download a file to/from the pfSense file system, and execute PHP commands.

This page allows you to perform a DNS lookup. When performing a DNS lookup, pfSense queries all of the DNS servers configured on the System / General Setup page. Simply type the hostname you want to lookup and its IP address is displayed, along with the query time for each DNS server.

From this page, you can browse to any file on the file system and make edits. This can be destructive and is not recommended unless you know what you are doing.

Clicking this menu item resets pfSense to its default settings.

Clicking this menu item powers off pfSense.

This page displays each configured limiter and child queue in text format.

The NDP Table page displays the IPv6 Neighbour Discovery Protocol list. The list contains all of the current IPv6 peers and is essentially equivalent to the ARP Table for IPv4.

The Packet Capture page allows you to perform packet captures for any configured interface on the system. You can set various options, such as the protocol, port, and packet count, among others. Once the packet capture has stopped, you can view or download the capture.

The pfInfo page displays statistics and counters for the firewall packet filter. These statistics and counters serve as metrics to judge how the packet filter is processing data.

This page lists all of the connections in the state table. There is also a filter panel on the page, enabling you to search for specific connections.

If a connection is active, you can connect to the pfSense console (ssh or physical access) and select option 9 from the menu to view the traffic flowing in real-time.

This page enables you to ping hosts from pfSense. You can select your IP protocol, source address, and the number of pings.

Clicking this menu item reboots pfSense.

This page displays all of the IPv4 and IPv6 routes configured on your system.

This page enables you to perform hard drive health tests on your pfSense hard drive(s). You can view your drive’s S.M.A.R.T. status, perform a self-test, and view the test logs from here.

This page displays the list of active TCP/IP sockets for IPv4 and IPv6 that are used by the firewall itself.

By default, only listening sockets are listed, but you can click Show all connections to display sockets in use by the system making external connections.

The States page displays the firewall state table, listing the interface, protocol, source and destination, and more.

There is also a filter panel on the page, enabling you to search the state table contents.

From this page, you can reset the state table by ticking the Reset the firewall state table box and clicking Reset.

When you reset the state table, all existing connections are broken and will need to be re-established.

The States Summary page provides statistics on the state table and its connections.

This page displays a list of the top active processes running on the system.

From the Tables page, you can select any of the configured Host or URL aliases on your system from a list and display its contents.

Aliases are converted to tables when they’re used in active firewall rules.

The Test Port page enables you to test whether or not a host is up and accepting connections on a specified TCP port. Enter the required fields and click Test.

The Traceroute page enables you to perform a traceroute (like using the traceroute command available on many platforms). It sends a special packet that traces the route it travels from the pfSense host to a remote host and displays the list of hops in-between.

Clicking this menu item from anywhere in the pfSense UI opens the relevant pfSense documentation section in your browser, based on the page you’re on in the pfSense GUI.

Clicking this menu item takes you to the pfSense bug tracker page in your browser.

Clicking this menu item opens the pfSense documentation in your browser.

Clicking this menu item opens the FreeBSD documentation in your browser.

Clicking this menu item opens the Netgate web page in your browser. You can purchase paid support from there.

Clicking this menu item opens the pfSense book in your browser. Though similar, the book and the documentation have different content.

Clicking this menu item opens the pfSense user forum in your browser.

Clicking this menu item opens the pfSense survey in your browser. It is hosted by surveymonkey.com.