7/13/2017 InstallingpfSensePFSenseDocs

InstallingpfSense
FromPFSenseDocs
ThisarticleispartoftheHowToseries.

Contents
1 ChooseInstallationType
1.1 Hardwareconsiderations
1.2 64bitor32bit
1.3 InstallerISO,MemstickorMemstickSerial?
1.4 NanoBSDorNanoBSD+VGA
1.5 VirtualMachines
2 DownloadpfSense
3 PrepareInstallationMedia
4 ConnecttoSerialConsole(NanoBSD,Memstickserial)
5 PerformingaFullInstall(ISO,Memstick)
6 Embedded/NanoBSD
7 AssignInterfacesontheConsole
7.1 VLANS
7.2 LAN,WAN,OPTx
7.3 AutoAssignProcedure
8 pfSenseDefaultConfiguration
9 PostInstallTasks
9.1 ConnecttotheGUI
10 InstallationTroubleshooting
11 AdditionalInformation

ThisarticlewillguidethroughselectinganappropriateversionofpfSense,theinitialpfSenseinstallation,and
relatedtasks.

OfficialpfSenseappliancesmaybepurchaseddirectlyfromthepfSenseStore(https://www.pfsense.org/products/).

ChooseInstallationType
ToinstallpfSense,firstafewdecisionsarenecessarytopickwhichtypeofinstallationwillbeperformed.

Hardwareconsiderations

Whenselectinghardwareforanewbuild,carefullyconsidercurrentandfuturehardwarerequirements.These
include:

64bitIntelorAMDCPU(x8664,amd64)onpfSense2.4andlater(Q22017)
CPUsmusthaveAESNIsupportonpfSense2.5andlater(TBD,2018+)
MustbeabletobootfromUSBoropticaldriveandruntheinstalleronpfSense2.4andlater

64bitor32bit

https://doc.pfsense.org/index.php/Installing_pfSense 1/10
7/13/2017 InstallingpfSensePFSenseDocs

pfSensesupportsboth64bit(amd64)and32bit(i386)architectures.Theamd64platformworksoncurrentx86
64hardwarefromIntel,AMD,etc.Ifthehardwareiscapableofusinga64bitoperatingsystem,thenrunthe
amd64version.

Seealso:

DoespfSensesupport64bitsystems
Is32bitor64bitpfSensePreferred

InstallerISO,MemstickorMemstickSerial?

IfaFullInstallistobeperformed,therearethreetypesofinstallmediathatcanbeusedtoaccomplishthetask:

Opticaldiscimage(ISOimage,CD/DVDdisc):Easyandfamiliartomany,ifthetargethardwarehasan
opticaldriveit'sasolidchoice,especiallyiftheBIOSwillnotbootfromUSB.
Memstick:LiketheCD/DVD,butrunfromaUSBthumbdrive.OftenfasterthantheCD/DVD.Manynew
devicesdonothaveintegratedopticaldrives,makingthisthecurrentbestrecommendation.
SerialMemstick:LiketheMemstickimage,butrunsusingtheserialconsoleratherthanVGA,fornewer
embeddedsystems.

NanoBSDorNanoBSD+VGA

IMPORTANT:NanoBSDwillbedeprecatedwiththepfSense2.4RELEASE!

NanoBSDusestheSerialConsolebydefault,sotherearetwosetsofNanoBSDimages:

NanoBSD:Embeddedinstalltypeusingtheserialconsolebydefault
NanoBSD+VGA:LikeNanoBSD,butusestheVGAconsoleinstead.

VirtualMachines

VirtualMachines,withhypervisorssuchasVMwarevSphere,HyperV,KVM,ProxmoxorXen,shouldbe
installedusingtheISOimage.Theycanbeusedtofirewallcompletelyinsideahypervisorhostforothervirtual
machines,orforedgefiltering/routingtasks.

SeeAlso:

pfSenseonVMwarevSphere/ESXi
pfSenseonMicrosoftHyperV

DownloadpfSense
Visithttps://www.pfsense.org/download/
PickthechosenComputerArchitecture,Platform,andConsoletype
DownloadtheSHA256checksumfiletoverifytheimagelater
Pickamirrorandclickthelinkonitsrowtodownloadtheimagefromthere
Waitforthedownloadtocomplete
VerifyDownloadedFiles

PrepareInstallationMedia

https://doc.pfsense.org/index.php/Installing_pfSense 2/10
7/13/2017 InstallingpfSensePFSenseDocs

Thedownloadedimagemustbewrittentotargetmediabeforeitcanbeused.ForaFullInstall,thismediaisused
tobootandinstallandthenwillnotbeneededagain.ForEmbedded,thetargetmediaisthedisk(CF/SD)thatwill
containtheOperatingSystem.

WritetheinstallerISO:Ifthe.isofilewasdownloaded,itmustbeburnedtoadiscasanISOimage.See
WritingISOImagesforassistance.
WritingMemstickorNanoBSDimages:ThistaskiscoveredwithgreatdetailintheWritingDiskImages
articlehereonthewiki.

ConnecttoSerialConsole(NanoBSD,Memstickserial)
Beforeattemptingtoinstallorboot,ifaserialbasedimagewasused,suchasNanoBSDorMemstickSerial,
connecttotheserialconsolewithanullmodemcableandwithappropriateterminaloptions.SeeConnectingtothe
SerialConsoleforspecifics.

PerformingaFullInstall(ISO,Memstick)
Poweronthetargetsystemandconnecttheinstallmedia:PlacetheCDintothedriveorplugtheMemstickintoa
USBport.IftheBIOSissettobootfromCD/USB,pfSensewillstart.

Forotherbootissues,InstallationTroubleshooting.

AstheoperatingsystembootsandpfSensestarts,apromptispresentedwithsomechoicesandacountdowntimer.
Atthisprompt,pressitoinvoketheinstallernow.

Alternately,allowthesystemtoboottherestoftheway,assigninterfaces,andthenchooseoption99toinvokethe
installer.

https://doc.pfsense.org/index.php/Installing_pfSense 3/10
7/13/2017 InstallingpfSensePFSenseDocs

TheQuick/EasyInstalloptionis,asthenameimplies,bothQuickandEasy.Thatisthemethodwhichwillbe
demonstratedhere.

First,theinstallerconsolecanbechangedtouseadifferentfont,screenmap,orkeymap.Mostpeopledonotneed
tochangethese,butitmayhelpwithsomeinternationalkeyboards.

AttheSelectTaskprompt,chooseQuick/EasyInstall.

https://doc.pfsense.org/index.php/Installing_pfSense 4/10
7/13/2017 InstallingpfSensePFSenseDocs

TheQuick/EasyInstalloptionassumesthefirstlocateddiskistheintendedtarget,sobesurethereisonlyone
SSD/HDDispresentinthesystem.

NOTE:AGEOMmirror(softwareRAID)mayalsobeconfiguredbychoosingCustomInstallandthen
invokingtheoptiontocreatethemirrorandselectthedisks.Oncethathasbeencompleted,thenitis
possibletoreturntotheSelectTaskscreenandproceedwithaQuick/EasyInstall

Becausethenextstepisdestructivetowhateveriscurrentlyonthetargetdisk,confirmationisrequiredtoproceed.
SelectOKthenpressEnter.

Theinstallwillproceed,wipingthetargetdiskandinstallingpfSense.Copyingfilesmaytakesometimetofinish.

Afterthefileshavebeencopiedtothetargetdisk,achoiceispresentedtoselecttheconsoletype.Standard
defaultstotheVGAconsole.Embeddeddefaultstoserialconsole.

https://doc.pfsense.org/index.php/Installing_pfSense 5/10
7/13/2017 InstallingpfSensePFSenseDocs

NowthesystemmustrebootsothatpfSensemaystartfromthetargetdisk.SelectRebootandthenpressEnter.Be
suretoremovethediscorUSBmemsticksothatthesystemwillnotattempttobootfromtherenexttime.

https://doc.pfsense.org/index.php/Installing_pfSense 6/10
7/13/2017 InstallingpfSensePFSenseDocs

Afterthesystemreboots,pfSensewillberunningfromthetargetdisk.ThenextstepistoAssignInterfacesonthe
Consolebelow.

Embedded/NanoBSD
Beforeattemptingtoboot,ifALIXhardwareisbeingused,ensurethedevicehasthelatestBIOS(atleast0.99h)
andsetCHSmodeintheBIOS.SeeALIXBIOSUpdateProcedurefordetails.

https://doc.pfsense.org/index.php/Installing_pfSense 7/10
7/13/2017 InstallingpfSensePFSenseDocs

Installthetargetmediaintothedevice,andensuretheBIOSisconfiguredtobootfromthatdisk.

Ifeverythingisconfiguredcorrectlythekernelwillbegintoload.Forserialconsoleimages,systemswithVGA
outputwillstopdisplayingwitha"/"onthescreenormaystopata"BTX"message.Fromthatpointonalloutput
issenttoCOM1.Connecttotheserialconsoletoviewtheremainingoutput.

AssignInterfacesontheConsole
ThedefaultconfigurationfileonpfSense2.3hasem0assignedasWAN,andem1assignedasLAN.Ifthetarget
hardwarehasem0andem1,thentheassignmentpromptisskippedandtheinstallwillproceedasusual.Several
othercommonplatformssuchasourSGsystems,APU,andALIXarealsorecognizedandwillhavetheir
interfacesassignedintheexpectedorder.

Ifthehardwareplatformcannotbeidentified,alistofnetworkinterfacesandtheirMACaddressesthatwere
locatedonthesystemwillappear,alongwithanindicationoftheirlinkstateifthatissupportedbythenetwork
card.Thelinkstateisdenotedby"(up)"appearingaftertheMACaddressifalinkisdetectedonthatinterface.The
MAC(MediaAccessControl)addressofanetworkcardisauniqueidentifierassignedtoeachcard,andnotwo
networkcardsshouldhavethesameMACaddress.Afterthat,apromptwillbeshownforVLANconfiguration.

VLANS

TheoptiontoassignVLANsispresentedfirst.IfVLANsarenotrequired,ortheyarenotknown,enterNohere.
VLANsareoptionalandareonlyneededforadvancednetworking.VLANcapableequipmentisalsorequiredif
theyaretobeused.SeeVLANTrunkingfordetails.

LAN,WAN,OPTx

ThefirstinterfacepromptisfortheWANinterface.Iftheinterfaceisknown,enteritsname,suchasigb0orem0
andpressEnter.Iftheidentityofthecardisnotknown,seethenextsectionfortheAutoAssignProcedure.

ThesecondinterfacepromptisfortheLANinterface.Entertheappropriateinterface,suchasigb1orem1,and
pressEnteragain.IfonlytheWANinterfaceistobeused,andnoLAN,pressEnterwithoutgivinganyother
input.

Onlyoneinterface(WAN)isrequiredtosetuppfSense.Ifmoreinterfacesareavailabletheymaybeassignedas
LANandOPTxinterfaces.Theprocedureisthesameforadditionalinterfaces:Entertheappropriateinterface
name,thenpressEnter.

Whentherearenomoreinterfacestoadd,pressEnter.Thelistofassignedinterfacesisdisplayed.Ifthemappings
arecorrect,entery,otherwiseenternandrepeattheassignment.

NOTE:IfonlyoneNICisassigned(WAN),ThisiscalledApplianceMode.Inthismode,pfSensewillmove
theGUIantilockoutruletotheWANinterfacesothefirewallmaybeaccessedfromthere.Theusual
routingfunctionswouldnotbeactivesincethereisno"internal"interface.Thistypeofconfigurationis
usefulforVPNappliances,DNSservers,etc.

AutoAssignProcedure

Forautomaticinterfaceassignment,firstunplugallnetworkcablesfromthesystem,thentypeaandpressEnter.
NowpluganetworkcableintotheinterfacethatshouldconnecttotheWAN,andpressEnter.Ifallwentwell,
pfSenseshouldknownowwhichinterfacetousefortheWAN.ThesameprocessmayberepeatedfortheLAN,

https://doc.pfsense.org/index.php/Installing_pfSense 8/10
7/13/2017 InstallingpfSensePFSenseDocs

andanyoptionalinterfacesthatwillbeneeded.IfamessageisdisplayedsuchasNolinkupdetected,see
InstallationTroubleshootingformoreinformationonsortingoutnetworkcardidentities.

pfSenseDefaultConfiguration
Afterinstallationandinterfaceassignment,pfSensehasthefollowingdefaultconfiguration:

WANisconfiguredasanIPv4DHCPclient
WANisconfiguredasanIPv6DHCPclientandwillrequestaprefixdelegation
LANisconfiguredwithastaticIPv4addressof192.168.1.1/24
LANisconfiguredtouseadelegatedIPv6address/prefixobtainedbyWAN(TrackIPv6)ifoneisavailable
AllincomingconnectionstoWANareblocked
AlloutgoingconnectionsfromLANareallowed
NATisperformedonIPv4trafficleavingWANfromtheLANsubnet
ThefirewallwillactasanIPv4DHCPServer
ThefirewallwillactasanIPv6DHCPv6ServerifaprefixdelegationwasobtainedonWAN,andalso
enablesSLAAC
TheDNSResolverisenabledsothefirewallcanacceptandrespondtoDNSqueries
SSHisdisabled.
WebGUIisrunningonport443usingHTTPS
Defaultcredentialsaresettoausernameofadminwithpasswordpfsense

PostInstallTasks
Afterinstallationandassignment,ashellmenuispresentedontheconsolewithanumberofoptions.pfSensenow
isreadytobeaccessedviathenetwork,eitherontheLANinterface(ifoneisassigned),orontheWANinterface
inasingleinterfacedeployment.

ConnecttotheGUI
https://doc.pfsense.org/index.php/Installing_pfSense 9/10
7/13/2017 InstallingpfSensePFSenseDocs

TheWebGUIisusedtoconfigurethevastmajorityofitemsinpfSense.Itmaybeaccessedbyanymodern
browser,thoughFirefoxandChromearepreferred.

ConnectaclientPCtotheLANofthefirewallandensureitobtainedanIPaddress.Ifitdidnot,itmaybeplugged
intothewrongport.

Openawebbrowserandnavigatetohttps://192.168.1.1/,usingthedefaultusernameadminandpasswordpfsense
tologin.

ThefirstvisittotheWebGUIwillberedirectedtothesetupwizard,whichisalsoaccessibleatSystem>Setup
Wizard.Proceedthroughthewizardandconfigurethingsasdesired.

InstallationTroubleshooting
Iftheinstallationdidnotproceedasplanned,seeInstallationTroubleshootingforhelp.

AdditionalInformation
ForadditionalinformationonInstallingpfSense,seethepageCategory:Installation.SignupforaGold
Subscription(https://www.pfsense.org/ourservices/goldmembership.html),whichgivesaccesstotheofficial
pfSensebookandmonthlyhangoutsthatcoveravarietyoftopicsaswellasourAutoConfigBackupservice,a
secureplacetostoreandretrieveoffsitebackups.

Retrievedfrom"https://doc.pfsense.org/index.php?title=Installing_pfSense&oldid=8065"

Categories: Howto Installation

Thispagewaslastmodifiedon14June2017,at12:08.

https://doc.pfsense.org/index.php/Installing_pfSense 10/10