Install and Configure pfSense

Setting up a robust firewall and gateway is a crucial step in building a secure and self-hosted environment. This guide outlines how pfSense was installed and configured in a homelab using affordable hardware and a straightforward process.

Requirements

Make sure you have:

  • A compatible device (e.g., Protectli Vault, Dell OptiPlex, an old PC)
  • A USB drive (at least 2GB)
  • A stable internet connection
  • A separate device to access the pfSense Web UI

Warning:
Ensure your hardware is compatible! Check the pfSense Hardware Guide before proceeding.

Hardware

Found a Dell Optiplex 7040 (micro model smaller than SFF) for $10 on eBay with only one NIC. Added a second NIC (Ethernet)[https://www.amazon.com/dp/B0CY9R5ZN8?ref=ppx_yo2ov_dt_b_fed_asin_title] and ready to install pfSense. The plan is

Network Model

Existing

The network begins with the Internet Service Provider (ISP) delivering connectivity via a fiber line to the modem, which serves as the gateway between the external internet and the local network. The modem connects directly to a wireless router, which distributes the internet connection throughout the home via both wired Ethernet connections and Wi-Fi, allowing multiple devices to access the internet simultaneously.

Current Network model

Current Network model

Target after Installing pfSense

In the new network setup, the ISP provides internet access to the modem, which connects to a dedicated pfSense firewall/router. pfSense acts as the central point for network security, routing, and traffic management. From pfSense, the connection is extended to a wireless access point (WAP), which provides Wi-Fi connectivity to wireless devices. This setup offers greater control, advanced firewall capabilities, and enhanced network segmentation compared to a traditional consumer router.

pfSensed Network model

Network model after installing pfSense

Step 1: Download pfSense

  1. Visit pfSense.org.
  2. Select pfSense Community Edition (CE).
  3. Choose the correct architecture:
    • AMD64 (x86-64) for most systems.
    • ARM-based for Netgate devices.
  4. Download the USB Memstick Installer (VGA) version.
  5. Make changes in BIOS to have AC Power Recovery as always Power On

Step 2: Create a Bootable USB Drive

  1. Use a tool like Rufus (Windows) or balenaEtcher (Mac/Linux).
  2. Select the pfSense .img.gz file.
  3. Start the flashing process and wait for completion.

Note:
For Mac/Linux users, you can also use the command line:

dd if=pfsense.img of=/dev/sdX bs=1M status=progress

Replace /dev/sdX with your USB drive.

Step 3: Install pfSense

Plug the machine into the modem (here after referred as WAN) and install pfSense using all the defaults. Step by step installation process can be found at Netgate Documentation

  1. Insert the bootable USB into the target machine.
  2. Boot from USB (Modify BIOS settings if needed).
  3. Follow the installation wizard:
    • Accept the license agreement.
    • Select Auto (ZFS) or UFS as the filesystem.
    • Choose the installation disk.
  4. After installation, remove the USB and reboot.

Warning:
This process will erase all data on the selected disk.

Step 4: Access pfSense Web Interface

Due to the absence of a wireless Access Point, a wired connection is required. Connect your laptop to the pfSense box via Ethernet, identify the assigned IP address, and proceed to http://192.168.1.1 to access pfSense.

Login Page Username: admin
Password: pfsense

After successful login pfSense presents a wizard for quick config Wizard Hit Next Wizard Hit Next Wizard
Hostname: anyname
Domain: anyname. pfSense suggests not to use a domain name that ends with .local
Primary DNS: 1.1.1.1 I prefer Cloudflare
Secondary DNS: 8.8.8.8 Google DNS Servers
Uncheck Override DNS

Wizard Change the timezone to where the server belongs

Wizard No Changes in this page

Wizard Change the lan ip to something that is not default. I use 10.10.10.1/24

Wizard For maximum protection against advanced internet threats, please create a password that is exceptionally resilient.!

Wizard

Wizard

After successful reload, pfSense webui will be accessible on the new ipaddress that was set in the step5

Step 5: Access Point

Since pfSense is main router and firewall, the existing wireless router will only handle Wi-Fi and pass everything to pfSense. Connect the PC to the router using a lan cable.

  1. Disable DHCP on the wireless device (Refer to manuals in more information is needed)
  2. Assign a Static IP
  3. Disable NAT & Firewall
  4. Connect wireless to pfSense on a LAN PORT. Connect a LAN port on pfSense → to a LAN port using an Ethernet cable. Do not connect to WAN ON router

Important: Netgate (pfSense creators) recently discontinued the Home+Lab edition, but the Community Edition (CE) remains free and fully functional for now.