Back to Cheatsheets
Cheatsheet

pfSense Firewall Cheatsheet

A practical reference for pfSense firewall administration via web GUI and CLI.

Access & Basics

Web GUI & SSH

https://192.168.1.1                       # Default LAN address
ssh [email protected]                    # SSH access
# Default creds: admin / pfsense

Console Menu

1 - Assign Interfaces
2 - Set Interface IP
3 - Reset WebGUI password
4 - Reset to factory defaults
5 - Reboot
8 - Shell (FreeBSD shell)
9 - pfTop (real-time pf state)

Config.xml

/cf/conf/config.xml                       # Active config
/cf/conf/backup/                          # Auto backups
cp /cf/conf/config.xml /root/backup.xml   # Manual backup
cp /root/backup.xml /cf/conf/config.xml   # Restore
reboot

Interface Configuration

# Interfaces > WAN — DHCP/Static/PPPoE
# Interfaces > LAN — default 192.168.1.1/24
# Interfaces > Assignments — add OPT1, OPT2
 
# VLAN: Interfaces > Assignments > VLANs
# Parent: igb0, Tag: 100, then assign new interface
 
# Bridge: Interfaces > Assignments > Bridges
# Select member interfaces for transparent firewall
 
# Status > Interfaces — check link, speed, IP, packets

Firewall Rules

LAN→WAN & Port Forwarding

# Firewall > Rules > LAN
# Default: allow all LAN to any
# Action: Pass/Block/Reject, Protocol, Source, Destination, Log
 
# Firewall > NAT > Port Forward > Add
# Interface: WAN, Protocol: TCP
# Destination: WAN address, Port: 443
# Redirect IP: 192.168.1.100, Port: 443
# Filter Rule Association: add associated filter rule

NAT Types

# 1:1 NAT — Firewall > NAT > 1:1
# Maps public IP → private IP (full bidirectional)
 
# Outbound NAT — Firewall > NAT > Outbound
# Automatic (default), Manual, Hybrid
# Manual: source LAN subnet → masquerade on WAN
 
# NAT Reflection — System > Advanced > Firewall & NAT
# Enables internal access to public IP from LAN

Advanced Firewall

Aliases

# Firewall > Aliases
# IP Alias: "Admin_IPs" = 192.168.1.0/24, 10.0.0.5
# Port Alias: "Web_Ports" = 80, 443, 8080
# URL Alias: fetch IPs from https://feeds.example.com/blocklist.txt

Schedules & Floating Rules

# Firewall > Schedules: "Business_Hours" Mon-Fri 08-18
# Apply in rule Advanced > Schedule
 
# Firewall > Rules > Floating
# Applies across interfaces before interface rules
# Direction: any/in/out, Quick: evaluate first
# Use: global blocklists, global QoS

Logging

# Enable "Log" on any rule
# Status > System Logs > Firewall
tcpdump -n -e -ttt -i pflog0             # Live pf log

Traffic Shaping

Limiters

# Firewall > Traffic Shaper > Limiters > Add
# Bandwidth: 50 Mb/s, Mask: /32 (per-IP limit)
# Queue: fq_codel
# Apply in firewall rule Advanced > In/Out Limiter

HFSC Queues

# Firewall > Traffic Shaper > By Layer
# Root queue on WAN: 100 Mb/s
# Child queues: Voice (prio 7), Video (prio 5), Default (prio 3)
# Classify traffic with firewall rules

VPN

OpenVPN Server

# VPN > OpenVPN > Servers > Add
# UDP 1194, tun mode, TLS auth
# Tunnel: 10.0.8.0/24, Redirect IPv4: yes
# Firewall: pass UDP 1194 on WAN + OpenVPN subnet any

OpenVPN Client Export

# VPN > OpenVPN > Client Export
# Downloads installer/ovpn for Windows, macOS, Linux, mobile

IPsec Site-to-Site

# VPN > IPsec > Tunnels > Add
# Phase 1: IKEv2, Mutual PSK, AES256-SHA256
# Phase 2: Tunnel, 192.168.1.0/24 ↔ 10.0.0.0/24, ESP
# Pass UDP 500, 4500, ESP on WAN

WireGuard (Package)

# System > Package Manager > WireGuard
# VPN > WireGuard > Tunnels: listen 51820, address 10.0.9.1/24
# Peers: public key, allowed IPs, endpoint
# Assign interface: Interfaces > Assignments > WireGuard
# Add firewall rules on new interface

DNS & DHCP

DNS Resolver (Unbound)

# Services > DNS Resolver > Enable
# Listen: LAN, localhost
# Host Overrides: intranet.example.com → 192.168.1.100
# Domain Overrides: example.com → 8.8.8.8

DHCP Server

# Services > DHCP Server > LAN
# Range: 192.168.1.100-200, Lease: 86400s
# Static Mappings: MAC → fixed IP
# DHCP Relay: forward to central DHCP server

Packages

# Install: System > Package Manager
 
# pfBlockerNG: IP + DNS blocking
#   - Firewall > pfBlockerNG > DNSBL + IP feeds
#   - Feeds: EasyList, Spamhaus DROP, AlienVault
 
# Suricata/Snort: IDS/IPS
#   - Services > Suricata > WAN interface
#   - ET Open rules, IPS mode to block
 
# ntopng: traffic monitoring at http://pfsense:3000
 
# ACME: Let's Encrypt certs
#   - Services > ACME > dns challenge (Cloudflare, Route53)
 
# HAProxy: reverse proxy with SSL offload
#   - Frontend: WAN:443, ACL by hostname
#   - Backend: internal server pool

System Administration

Backup, Update, ZFS

# Diagnostics > Backup & Restore — download config.xml
# System > Update — apply firmware updates
# System > ZFS Boot Environments — create BE before updates
beadm list
beadm create pre-upgrade
beadm activate pre-upgrade

Diagnostics Tools

# Diagnostics > Ping, Traceroute, DNS Lookup
# Diagnostics > Execute Command (shell)
# Status > Monitoring (RRD graphs)
# Status > Traffic Graph (live bandwidth)

Diagnostics

pfctl State Table

pfctl -ss                                # Show states
pfctl -ss | grep 192.168.1.100           # Filter by IP
pfctl -ss | wc -l                        # Count states
pfctl -k 10.0.0.5                        # Kill states for IP
pfctl -F states                          # Flush all states
pfctl -si                                # State counters/limits

Packet Capture

tcpdump -ni em0                          # Capture on interface
tcpdump -ni em0 port 443                 # HTTPS traffic
tcpdump -ni em0 host 192.168.1.100       # Specific host
tcpdump -ni em0 -c 100 -w capture.pcap   # Save to file
tcpdump -r capture.pcap                  # Read saved

pftop

pftop                                    # Real-time state viewer
pftop -s state.time                      # Sort by duration
pftop -i em0                             # Watch interface

Captive Portal

# Services > Captive Portal > Zones > Add
# Zone: "Guest_WiFi", Interface: OPT
# Auth: none (accept terms) / local / voucher / RADIUS
# Custom portal page with $PORTAL_ACTION$, $CLIENT_IP$
# Vouchers: generate roll of timed access codes
 
# Allowed MAC/IP bypass
# Idle timeout: 30 min, Hard timeout: 24h

Troubleshooting

Packet Loss & NAT Reflection

netstat -i -I em0 -w 5                   # Interface errors
ifconfig em0                             # Duplex/speed check
# Fix: swap cable, force duplex, check CPU
 
# NAT Reflection: System > Advanced > Firewall & NAT
# Enable: "NAT + Proxy" mode

DNS & High State Table

dig example.com @192.168.1.1             # Test resolver
tail -f /var/log/resolver.log            # DNS debug
 
pfctl -si                                # State usage
# Increase states: System > Advanced > Firewall & NAT > 1000000

CARP/HA & IPsec

ifconfig carp0                           # CARP status
sysctl net.inet.carp.log                 # Enable logging
 
ipsec statusall                          # IPsec debug
tcpdump -ni em0 esp                      # Capture ESP
tcpdump -ni em0 udp port 500 or 4500     # Capture IKE

Recovery

# Boot single user: option 2 at boot menu
fsck -y /                                # Check filesystem
cp /cf/conf/backup/*.xml /cf/conf/config.xml  # Restore from backup
reboot