pfSense CE is a FreeBSD-based firewall and router platform that rivals commercial solutions costing thousands of dollars. Running on a spare PC or dedicated mini PC, it gives you a stateful firewall, VPN server, traffic shaping, and intrusion detection — all in a clean web interface. This guide walks through a basic install and first configuration.
What You'll Need
- A PC or mini PC with two network interfaces (one for WAN, one for LAN). Intel NICs are most reliable under FreeBSD.
- At least 1 GB RAM and 8 GB storage (16 GB recommended)
- A USB drive (1 GB+) for the installer
- Temporary monitor and keyboard for the initial setup
Popular hardware choices: Protectli Vault, Topton N5105 mini PC, or any old laptop with a USB-to-Ethernet adapter for a second NIC.
Step 1: Download pfSense CE
Download the AMD64 installer ISO from the official pfSense site. Choose the DVD Image (ISO) Installer format.
Step 2: Create Installation Media
Flash the ISO to a USB drive with balenaEtcher or, on Linux:
sudo dd if=pfSense-CE-2.7.x-RELEASE-amd64.iso of=/dev/sdX bs=4M status=progress
syncReplace /dev/sdX with your USB device. Verify with lsblk first.
Step 3: Install pfSense
Boot from the USB drive. The installer is straightforward:
- Accept the copyright notice and select Install
- Choose your keymap (typically US)
- Select Auto (UFS) partitioning for simplicity, or ZFS for advanced setups
- Confirm the target disk and let the installer run (~2 minutes)
- Reboot and remove the USB drive
Step 4: Assign Interfaces at the Console
On first boot, pfSense asks you to assign WAN and LAN interfaces. It lists detected NICs by name (e.g., igb0, igb1):
Valid interfaces are:
igb0 00:1a:4b:xx:xx:xx (up)
igb1 00:1a:4b:xx:xx:yy (up)
Do you want to set up VLANs now? [y|n]: n
Enter the WAN interface name: igb0
Enter the LAN interface name: igb1After assignment, pfSense configures the LAN with IP 192.168.1.1 and enables DHCP. Connect a computer to the LAN port and open http://192.168.1.1 in a browser.
Step 5: Web Configurator Setup Wizard
Login with admin / pfsense and run the setup wizard:
- Set your hostname and domain
- Configure DNS servers (e.g.,
1.1.1.1and9.9.9.9) - Set the WAN type — typically DHCP if your ISP uses dynamic addressing, or PPPoE for fiber/DSL connections
- Change the admin password (do this immediately)
Step 6: Create Your First Firewall Rules
pfSense blocks all inbound traffic from WAN by default (good). LAN traffic is allowed out by default. Go to Firewall → Rules → LAN to see the default allow-all rule.
A useful first rule — block your IoT devices from reaching your main LAN. If you have a separate IoT VLAN on 192.168.10.0/24:
Action: Block
Interface: IoT
Protocol: Any
Source: IoT net
Destination: LAN net
Description: Block IoT to LANPlace this rule above the default allow rule. pfSense processes rules top-to-bottom, first match wins.
Step 7: Enable an OpenVPN Server
Go to VPN → OpenVPN → Wizards and use the built-in wizard to create a Remote Access VPN. Key settings:
- Authentication backend: Local User Access for simplicity
- Create a new CA and server certificate when prompted
- Tunnel network:
10.8.0.0/24(a dedicated subnet for VPN clients) - Local network: your LAN subnet (e.g.,
192.168.1.0/24) - Enable Redirect Gateway to route all VPN client traffic through pfSense
After the wizard, install the openvpn-client-export package under System → Package Manager, then export a ready-to-use .ovpn profile for each user.
What's Next?
- Snort or Suricata — install from Package Manager for intrusion detection. Suricata supports inline IPS mode for active blocking.
- pfBlockerNG — network-wide ad and tracker blocking, similar to Pi-hole but integrated into your firewall
- VLANs — segment your network (IoT, guest, trusted) using 802.1Q VLANs on a managed switch
- Traffic graphs — Status → Traffic Graph gives you real-time per-interface bandwidth monitoring
The pfSense documentation at Netgate is comprehensive, and the pfSense subreddit is a great resource for home lab configurations.