You are on page 1of 15

How to configure pfSense

The "webConfigurator" - pfSense basic setup part 2
Note: The following is a continuation of the How to Install pfSense posting.

1. Using your favorite browser, connect to you newly installed pfSense firewall via the LAN
interface IP Address. Type the IP Address of the LAN interface in your browser and you should
be presented with a “Security Issue/Warning” for the server's certificate. This is a warning that
your browser gives you when it receives a security certificate that the browser can not validated
against a Certificate Authority. It's the browser way or warning the end user that the site may be
untrustworthy. During the installation of pfSense, a security certificate was created by the
system which is known as a self-signed certificate in order to have a security certificate available
to encrypt your connection between your web browser and the pfSense firewall.



2. If you take a closer look at the certificate that was issue to your browser, you will discover that
the security certificate has the IP Address of your pfSense firewall but all other identifying
information is blank. Since this warning is to be excepted because the security certificate was
self-signed and it does have the IP Address of your pfSense firewall, you should have a good
confident level that this system is the pfSense firewall and not another system posing as your
pfSense firewall. Accept the security certificate and continue to the site. (Note: It's never a good
idea to accept any certificate issued to your browser that can not be validated if your surfing on
the Internet.)




3. After accepting the security certificate, you should then be presented with the pfSense
webConfigurator login screen. Your first time logging into your pfSense firewall, the default
username is “admin” with a password of “pfsense”. Login to you pfSense firewall.


4. After successfully login to your pfSense firewall, you will be presented with the pfSense
Status Dashboard which provides you with a summary of your system information along with the
status of your interfaces installed. The dashboard is configurable and can include additional
information about other components of your pfSense firewall.



5. Let's continue configuring the pfSense firewall. From the System menu select Setup Wizard
to start the pfSense setup wizard.


6. You should then be greeted with the pfSense setup wizard, click the Next button to continue.



7. Complete the “General Information” section and click the Next button when complete:




Hostname:
Enter the name of what you want to call your firewall

Domain:
Unless you currently have a domain, create one that will be used on your local network.

Primary DNS Server & Secondary DNS Server:
Enter the IP Address of your local Internet Provider DNS Server or third party DNS such as
OpenDNS or leave it blank to have this information automatically provided via the Override
DNS setting.

Override DNS:
If you prefer pfSense to use the Primary and Secondary DNS received from your Internet service
provider, ensure that “Allow DNS server to be overridden by DHCP/PPP on WAN” check-
box is checked.

8. Configure “Time Server Information”.

Time server hostname:
Keep default

Timezone:
Chane to your local time zone.




9. WAN Interface configuration. Unless you need to authenticate to your ISP provider when
accessing the Internet which is usually a requirement of some DSL providers or there are
configuration you need in order to access the Internet, this section can be bypassed. Just click the
Next button.



10. Review the "Configure LAN Interface" screen. This screen can be left as default unless you
want to change the IP Address scheme provided by pfSense to match a current IP Scheme being
used on your or your client network.


11. The "Set Admin WebGUI Password" screen. Enter a new pfSense “admin” user password.
Recommend that your password be longer then 7 characters and incorporate a combination of
Upper case/Lower case letters, number and a special character such as !, #, %, etc to make it
strong.


12. Reload of pfSense web browser – After configuring a new password, pfSense will require
you login again with the new password. Click the Reload button to refresh the screen and login
with your new password.



13. At the end of the “Setup Wizard” you will be presented with the pfSense “Wizard
Completed” page indicating that you have successfully completed the setup wizard and
configured pfSense with the basic configuration to protect your and yours client network work
from the dangers of the Internet. Your pfSense firewall will automatically allow traffic destine
to the Internet to leave your network but block any traffic that was not initiated from your
network to enter your network.


14. Now that we have successfully configured the basic setting in pfSense we will make a couple
more changes to personalize your pfSense installation. First let start with the self-signed security
certificate. As you remember in step 2 the pfSense security certificate only contained the IP
Address of your pfSense firewall and no other identifying information. We will now configure
the security certificate with that identifying info which is useful if you decided to configure VPN
access in the future and allow others to connect to your or your clients network thru the pfSense
firewall.

From the pfSense menu, select System | Cert Manager to access pfSense System Certificate
Authority Manager application.


15. Configure pfSense as a trusted Certificate Authority – Ensure the “CA” tab is selected and
click on the “+” to create the CA.

16. From the “Method” pull down, select “Create an internal Certificate Authority” and
complete the following field pressing the “Save” button when finished.

Descriptive Name:
Enter a name for CA

Method:
Create an internal Certificate Authority

Key length:
Keep at default (2048) bits

Lifetime:
Keep at default (3650) days

Country Code:
Change to your country

State or Providence:
Enter your State or Providence

City:
Enter your City

Organization:
Enter what you would want to display as the organization that the pfSense firewall belongs. This
could be a business name, household name or any other name you like to display in the security
certificate.

Email Address:
Enter the email address that others can send an email if they have question about the security
certificate.

Common Name:
Enter a name for the CA security certificate.


17. Your pfSense firewall should now be configured as a trusted Certificate Authority.

18. Next we will configure the Internal Certificate. Click on the “Certificates Tab” and then
select “Create an internal Certificate” from Method drop down box. Many of the fields will
automatically filled-in from what was entered in the CA tab. Just complete the following fields
below:

Descriptive name:
Enter a name to describe the security certificate you are creating.

Certificate Type:
From the drop down menu, select “Server Certificate”

Common Name:
Enter the name of your firewall and domain i.e. firewall.mynetwork.com. If you or your client
have a domain that will point to the firewall such as a static or dynamic DNS name, you can type
that domain name here.

Press the "Save" button to save changes.


19. You should now display two security certificate under the “Certificates” tab, one that was
created during the installation of the pfSense and the one you just created. Currently only the
security certificate created during the installation of pfSense is in use and being used by the
webConfigurator.

20. Next we will change pfSense to use the new security certificate we created for the
webConfigurator. From the “System” menu, select “Advanced”


21. The System: Advance screen should now be displayed. On the “Admin Access” tab, find the
following setting:

Protocol:
Ensure “HTTPS” is selected

SSL Certificate:
In the drop down menu, change the SSL certificate to the internal certificate made n the previous
steps.

TCP port:
Change port to 445. Port is changed from the standard 443 to 445 to free up port 443 for future
use. Hint: VPN connections on port 443 is ensure to be allowed out from any were you may be
when on the road if you later decide to configure remote VPN access.

Secure Shell Server:
Enable Secure Shell. This allow for remote console access to your firewall.

Press the "Save" button to save changes.

22. Once your save the changes in the System: Advance - Admin tab, pfSense will reissue the
security certificate causing your browser to display the Security Certificate Warning again. This
is to be excepted since we configured pfSense to use the new security certificate we created
except this time if you look at the detail of the security certificate, it should now display the
identifying information contained in the new security certificate.


23. You may also notice that pfSense now has an alert displayed in the upper right hand corner
of your screen. The alert is to notify you that pfSense has created the keys required for your SSH
communication. This is the result of enabling the Secure Shell Server option on the System:
Advance - Admin tab. Click the alert to acknowledge the change and the alert should
disappear.


24. One additional change that I recommend but is not required for pfSense to work is to
configure pfSense to show log entries in reverse order (newest entries on top). This is really
convenient when your looking at a log that may be very long and you can save time by not
having to scroll to the bottom to see the latest events.

From the menu select “Status” and then “System Logs”.


25. Once on the Status: System Log screen, select the “Setting” tab and then enable the “Show
log entries in reverse order (newest entries on top)" option and click the “Save” button at the
bottom of the page.


26. CONGRATULATIONS -- You have now completed the Basement PC Tech basic pfSense
firewall setup. Your pfSense installation should be up and running and by selecting the
“Firewall” tab while you are still in the “Status” section you will be able to see all the Internet
traffic that is being denied and logged by pfSense for traffic that is no longer allowed to enter
yours or your client network with out authorization.