pfSense Installation

Antoine de Barbarin

Click on create VM button on the top right of the screen

image-20250530145934733

Fill the form with the name of the VM pfSense-infraSI and click Next

image-20250530150345411

Select the pfSense .iso image and click Next

image-20250530150619090

Click Next

image-20250530150709665

Select the disk in which install it and the size of the partition 32GiB and click Next

image-20250530150848076

Select the number of CPUs to allocate: 1 CPU with 2 cores and click Next

image-20250530151014186

Select the RAM to allocate: 2048MB and click Next

image-20250530151126781

Select the first network interface: vmbr0 (WAN interface) and click Next

image-20250530151411843

Confirm the creation of the pfSense VM

image-20250530151457604

Click on the newly created VM and then click on the tab Hardware

image-20250530152209431

Click on Add and then on Network Device and select the Bridge vmbr4 dedicated to the DMZ network then click on the Add button

image-20250530152421769

Repeat the process with the Bridge vmbr5 dedicated to the LAN network with the VLANs

image-20250530152640972

Here is the result

image-20250530152743545

Click on image-20250530153132435 and then on image-20250530153132435

Then the VM will boot and the installer will start. Accept the license and rights

image-20250530153419335

Press on Enter to begin the installation

image-20250530153517372

Accept the default partitioning option Auto (ZFS)

image-20250530153634966

Press Enter to begin the installation

image-20250530153711489

Press Enter to accept the default Stripe mode

image-20250530153808916

Press Space to select the disk and then Enter to go on

image-20250530153857558

Select Yes and press Enter

image-20250530153955079

Then, the installation will begin

image-20250530154039333

When finished, accept to reboot the VM

image-20250530154117692

While rebooting, you can remove the .iso image editing the CD/DVD Drive in the Hardware section

image-20250530154330979

When the VM has rebooted, some basic configuration will be done in the command line interface.

For the VLANs, type n for the moment (they will be created in the web interface)

image-20250530154618405

Type vtnet0 for the WAN interface, vtnet1 for the LAN and vtnet2 for the OPT1

image-20250530154920491

Confirm the network interface configuration

image-20250530155035819

Now the installation is complete. The rest of the configuration will be done on the web interface.

image-20250530155228955

Open the browser and go to pfSense's web interface. Accept the warning to continue.

image-20250530155345674

Then log in the web configurator with the default credentials (admin - pfsense)

image-20250530155625929

The first thing to do when signing in the web configurator is to follow a setup wizard. Click on Next

image-20250530155820018

Type pfsense in lowercase for the hostname and infrasi.lan for the domain name, then click on Next

image-20250530160213234

Select the timezone Europe/Paris for the NTP configuration

image-20250530160314592

Keep the WAN interface set on DHCP and uncheck the Block RFC1918 Private Networks and Block bogon networks rules and click on Next

image-20250530160621175

image-20250530160540863

image-20250530163016276

For the LAN interface, type the static IP address 172.16.0.1 and the subnet mask 29 to allow 6 hosts for the moment. It will be easily upscaled afterwards. Then click on Next

image-20250530161231799

Type a new password and confirm it. Click on Next

image-20250530161417917

Click on Reload to accept and apply the new configurations.

image-20250530161525561

Click on Finish

image-20250530161615893

Accept the license and right.

image-20250530161720007

Go to System > Advanced and change the web configurator port to 12345 to free the HTTPS port.

image-20250530162031105

If you want, you can go to System > General Setup to change the CSS theme of the web configurator

image-20250530162634648

Go to VPN > OpenVPN in the Wizard tab and click Next

image-20250530165520932

Fill the form with the following values and click on Add new CA

image-20250530165805930

Then click on Add new Certificate

image-20250530165913221

Fill the form with the following values and click on Create new Certificate

image-20250530170052918

Fill the form with the following values and click on Next

image-20250530170629577

image-20250530170718654

image-20250530170831924

Check the two rules to allow access from wherever to pass through the VPN tunnel and click on Next

image-20250530171007137

Click on Finish to save and apply the OpenVPN Server

image-20250530171117092

Go to System > User Manager and click on Add

image-20250530171359459

Fill the form with the following values and click on Save

image-20250530171557279

Go to System > Package Manager > Available Packages and search for openvpn, then on the package named openvpn-client-export click on Install and Confirm

image-20250530171834205

Wait for the installation to finish

image-20250530171947747

image-20250530172014718

Go to VPN > OpenVPN > Client Export and at the bottom of the page, you can download the exact configuration to connect to the Admin-VPN.

image-20250530172316219

After downloading the configuration (I chose Inline Configuration > Most Clients), you can access it.

image-20250530172721786

Now that the connection exists, we can easily use it with the command nmcli

image-20250530174019700

Now we can access the web configurator using the VPN, and we can see our current connection with the OpenVPN widget in the dashboard

image-20250530174529637

Go to Interfaces > Assignments > VLANs and click on Add

image-20250531000222671

Choose the vtnet2 interface (OPT1) and set the VLAN at 10 describing it as Internal Services and click on Save

image-20250531000433410

Then do the same for the Clients VLAN, with value 20 on the same network interface

image-20250531000614339

Go back to Interfaces > Assignments and set OPT1 as VLAN10 and add a new OPT2 as VLAN20 and click on Save

image-20250531000924519

Then go to Interfaces > LAN, Interfaces > OPT1 and Interfaces > OPT2 to change their names with DMZ, Services and Clients, check the option Enable interface if it's not checked already and assign a Static IP address if it's not set up already.

Interface IP address
DMZ 172.16.0.1 / 29
Services (VLAN 10) 172.17.0.1 / 28
Clients (VLAN 20) 172.18.0.1 / 27

image-20250531001425188

image-20250531002247771

Go to System > Advanced > Networking to enable KEA DHCP instead of the deprecated ISC DHCP

image-20250531002525032

Go to Services > DHCP Server to configure the DHCP Server on each interface as following

Interface Starting IP Ending IP
DMZ 172.16.0.6 172.16.0.6
Services 172.17.0.14 172.17.0.14
Clients 172.18.0.2 172.18.0.30

image-20250531003259604

image-20250531003404975

image-20250531003520225

Create aliases

Go to Firewall > Aliases and click on New, then fill the forms with the values below and click on Save

image-20250531142204445

Repeat the process for the following aliases

image-20250531142323105

image-20250531142414100

image-20250531142500135

image-20250531142534507

image-20250531142609653

image-20250531142654861

image-20250531142731779

Revision #2
Created 1 June 2025 15:00:40 by Thorgan
Updated 1 June 2025 15:14:33 by Thorgan