A practical reference for pfSense firewall administration via web GUI and CLI.
Access & Basics
Web GUI & SSH
https://192.168.1.1 # Default LAN address
ssh [email protected] # SSH access
# Default creds: admin / pfsenseConsole Menu
1 - Assign Interfaces
2 - Set Interface IP
3 - Reset WebGUI password
4 - Reset to factory defaults
5 - Reboot
8 - Shell (FreeBSD shell)
9 - pfTop (real-time pf state)Config.xml
/cf/conf/config.xml # Active config
/cf/conf/backup/ # Auto backups
cp /cf/conf/config.xml /root/backup.xml # Manual backup
cp /root/backup.xml /cf/conf/config.xml # Restore
rebootInterface Configuration
# Interfaces > WAN — DHCP/Static/PPPoE
# Interfaces > LAN — default 192.168.1.1/24
# Interfaces > Assignments — add OPT1, OPT2
# VLAN: Interfaces > Assignments > VLANs
# Parent: igb0, Tag: 100, then assign new interface
# Bridge: Interfaces > Assignments > Bridges
# Select member interfaces for transparent firewall
# Status > Interfaces — check link, speed, IP, packetsFirewall Rules
LAN→WAN & Port Forwarding
# Firewall > Rules > LAN
# Default: allow all LAN to any
# Action: Pass/Block/Reject, Protocol, Source, Destination, Log
# Firewall > NAT > Port Forward > Add
# Interface: WAN, Protocol: TCP
# Destination: WAN address, Port: 443
# Redirect IP: 192.168.1.100, Port: 443
# Filter Rule Association: add associated filter ruleNAT Types
# 1:1 NAT — Firewall > NAT > 1:1
# Maps public IP → private IP (full bidirectional)
# Outbound NAT — Firewall > NAT > Outbound
# Automatic (default), Manual, Hybrid
# Manual: source LAN subnet → masquerade on WAN
# NAT Reflection — System > Advanced > Firewall & NAT
# Enables internal access to public IP from LANAdvanced Firewall
Aliases
# Firewall > Aliases
# IP Alias: "Admin_IPs" = 192.168.1.0/24, 10.0.0.5
# Port Alias: "Web_Ports" = 80, 443, 8080
# URL Alias: fetch IPs from https://feeds.example.com/blocklist.txtSchedules & Floating Rules
# Firewall > Schedules: "Business_Hours" Mon-Fri 08-18
# Apply in rule Advanced > Schedule
# Firewall > Rules > Floating
# Applies across interfaces before interface rules
# Direction: any/in/out, Quick: evaluate first
# Use: global blocklists, global QoSLogging
# Enable "Log" on any rule
# Status > System Logs > Firewall
tcpdump -n -e -ttt -i pflog0 # Live pf logTraffic Shaping
Limiters
# Firewall > Traffic Shaper > Limiters > Add
# Bandwidth: 50 Mb/s, Mask: /32 (per-IP limit)
# Queue: fq_codel
# Apply in firewall rule Advanced > In/Out LimiterHFSC Queues
# Firewall > Traffic Shaper > By Layer
# Root queue on WAN: 100 Mb/s
# Child queues: Voice (prio 7), Video (prio 5), Default (prio 3)
# Classify traffic with firewall rulesVPN
OpenVPN Server
# VPN > OpenVPN > Servers > Add
# UDP 1194, tun mode, TLS auth
# Tunnel: 10.0.8.0/24, Redirect IPv4: yes
# Firewall: pass UDP 1194 on WAN + OpenVPN subnet anyOpenVPN Client Export
# VPN > OpenVPN > Client Export
# Downloads installer/ovpn for Windows, macOS, Linux, mobileIPsec Site-to-Site
# VPN > IPsec > Tunnels > Add
# Phase 1: IKEv2, Mutual PSK, AES256-SHA256
# Phase 2: Tunnel, 192.168.1.0/24 ↔ 10.0.0.0/24, ESP
# Pass UDP 500, 4500, ESP on WANWireGuard (Package)
# System > Package Manager > WireGuard
# VPN > WireGuard > Tunnels: listen 51820, address 10.0.9.1/24
# Peers: public key, allowed IPs, endpoint
# Assign interface: Interfaces > Assignments > WireGuard
# Add firewall rules on new interfaceDNS & DHCP
DNS Resolver (Unbound)
# Services > DNS Resolver > Enable
# Listen: LAN, localhost
# Host Overrides: intranet.example.com → 192.168.1.100
# Domain Overrides: example.com → 8.8.8.8DHCP Server
# Services > DHCP Server > LAN
# Range: 192.168.1.100-200, Lease: 86400s
# Static Mappings: MAC → fixed IP
# DHCP Relay: forward to central DHCP serverPackages
# Install: System > Package Manager
# pfBlockerNG: IP + DNS blocking
# - Firewall > pfBlockerNG > DNSBL + IP feeds
# - Feeds: EasyList, Spamhaus DROP, AlienVault
# Suricata/Snort: IDS/IPS
# - Services > Suricata > WAN interface
# - ET Open rules, IPS mode to block
# ntopng: traffic monitoring at http://pfsense:3000
# ACME: Let's Encrypt certs
# - Services > ACME > dns challenge (Cloudflare, Route53)
# HAProxy: reverse proxy with SSL offload
# - Frontend: WAN:443, ACL by hostname
# - Backend: internal server poolSystem Administration
Backup, Update, ZFS
# Diagnostics > Backup & Restore — download config.xml
# System > Update — apply firmware updates
# System > ZFS Boot Environments — create BE before updates
beadm list
beadm create pre-upgrade
beadm activate pre-upgradeDiagnostics Tools
# Diagnostics > Ping, Traceroute, DNS Lookup
# Diagnostics > Execute Command (shell)
# Status > Monitoring (RRD graphs)
# Status > Traffic Graph (live bandwidth)Diagnostics
pfctl State Table
pfctl -ss # Show states
pfctl -ss | grep 192.168.1.100 # Filter by IP
pfctl -ss | wc -l # Count states
pfctl -k 10.0.0.5 # Kill states for IP
pfctl -F states # Flush all states
pfctl -si # State counters/limitsPacket Capture
tcpdump -ni em0 # Capture on interface
tcpdump -ni em0 port 443 # HTTPS traffic
tcpdump -ni em0 host 192.168.1.100 # Specific host
tcpdump -ni em0 -c 100 -w capture.pcap # Save to file
tcpdump -r capture.pcap # Read savedpftop
pftop # Real-time state viewer
pftop -s state.time # Sort by duration
pftop -i em0 # Watch interfaceCaptive Portal
# Services > Captive Portal > Zones > Add
# Zone: "Guest_WiFi", Interface: OPT
# Auth: none (accept terms) / local / voucher / RADIUS
# Custom portal page with $PORTAL_ACTION$, $CLIENT_IP$
# Vouchers: generate roll of timed access codes
# Allowed MAC/IP bypass
# Idle timeout: 30 min, Hard timeout: 24hTroubleshooting
Packet Loss & NAT Reflection
netstat -i -I em0 -w 5 # Interface errors
ifconfig em0 # Duplex/speed check
# Fix: swap cable, force duplex, check CPU
# NAT Reflection: System > Advanced > Firewall & NAT
# Enable: "NAT + Proxy" modeDNS & High State Table
dig example.com @192.168.1.1 # Test resolver
tail -f /var/log/resolver.log # DNS debug
pfctl -si # State usage
# Increase states: System > Advanced > Firewall & NAT > 1000000CARP/HA & IPsec
ifconfig carp0 # CARP status
sysctl net.inet.carp.log # Enable logging
ipsec statusall # IPsec debug
tcpdump -ni em0 esp # Capture ESP
tcpdump -ni em0 udp port 500 or 4500 # Capture IKERecovery
# Boot single user: option 2 at boot menu
fsck -y / # Check filesystem
cp /cf/conf/backup/*.xml /cf/conf/config.xml # Restore from backup
reboot