Random knowledge about pfSense / answers to repeated questions.

  • The information here is mostly outdated and should no longer serve as a source of knowledge

    ~~I'm trying to make a thread here (which i intend to update) that provides a list of links to threads that answer stuff i see repeatedly appear in the forum.

    Also i'm trying to write some kind of "getting started" or better said a collection of random information which should be useful for pfSense which one day maybe can go into the docs.

    If anyone want to help me please post it here or send a PM :)
    **If you are looking for help on the forum because you have a problem:
    provide as much information as possible.
    (log-outputs, screenshots of config/rules, etc.)
    Often a Diagram (ASCII ART ?) can help more than pages of descriptions how your network is set up.

    This guide might help you formulate your post:
    How To Ask Questions The Smart Way

    Before you ask on the Forum:

    There are some Tutorials here:
    And the docs here:
    Also a devwiki:


    Before buying it, check the supported hardware page:
    pfSense Version 1.2.3 has FreeBSD 7.2 below.

    Network cards: Use Intel server cards where possible.

    If you're not able to boot your hardware:

    If you are experiencing high pings/high latency
    Your hardware is most probably undersized or you have an Interrupt problem (caused by bad NIC's)

    If you're installing to a CF Card use the embedded version.
    A fullinstall to a CF will kill the card. The CF should be minimum 512 MB (more works too but the space is not used).

    If you want to use packages you need to use the full version --> install to a HD.
    Alternatively you can use a Microdrive (Harddisk in CF format).
    With the introduction of version 1.2.3 an the change to nanoBSD some packages are supported.
    See http://spreadsheets.google.com/ccc?key=0AojFUXcbH0ROdFdHTTlKNWNSMG5rRjQwZE1fYVgySGc&hl=en
    for which packages work.
    If the package you need is marked as "not working" in the list you will have to do a full install to use it.

    cheesyboofs posted some info on how to get certain types of microdrives to run.

    The embedded version does not have any VGA output. Connect and configue per Serial port.

    Tutorial for PXE booting FreeDOS and updating the Bios of an ALIX:

    also a few posts below this link is a way to install without booting over network but with writing a CF which is NOT 128 MB.

    If you want to do a fullinstall to a harddisk on embedded hardware (like an ALIX or soekris)


    If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"

    General Setup:
    If you get your IP on WAN per DHCP you mostly get a DNS assigned automatically.
    When you use a static IP on WAN (insted of per DHCP) you need to set the DNS Servers here.

    Static Routes:
    The dropdown for the interface defines on which interface the gateway for the remote subnet is reachable.
    NOT that on the selected interface is the static route applied on inbound traffic.

    if you are having problems with FTP and the FTP-helper:
    Dotdash posted some info what the problem with FTp and NAT is.
    –> http://forum.pfsense.org/index.php/topic,7096.msg40254.html#msg40254

    If you are using a bridge, make sure the interface which is bridged to is always up.
    You cannot use the bridged interface if the interface to which is bridged is down.
    Example: WLAN bridged to LAN. DHCP running on LAN.
    If the LAN interface is down you cannot use the WLAN interface.
    You can work around this by simply plugging in a switch/hub or a loopback connector.
    The more elegant solution would be to bridge the LAN interface to WLAN and run the DHCP server on the WLAN interface.


    You can use port-aliases to forward multiple single ports in single rule.

    Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
    For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

    (screenshots to clarify: http://forum.pfsense.org/index.php/topic,7693.0.html )
    This might create a problem for FTP with multiWAN
    more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

    If you are running IPsec or VoiP clients in your network you might want to enable the static port option. The same goes for most games.
    more info on that here: http://doc.pfsense.org/index.php/Static_Port

    For NAT portforwardings: NAT is applied before the Firewall rules.

    If you want to use 1:1 NAT mappings with additional IP's on the WAN:
    Set first these VIP's up.
    You can enter in the 1:1 NAT config the IP which should be on your WAN but without setting up a VIP first, it just wont work.

    1:1 NAT is bidirectional.
    Meaning traffic originating from the Computer that is 1:1 NATed will appear as if from the external IP used in the 1:1 NAT mapping.

    NAT-Reflection does not work with 1:1 NAT
    You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

    How to set up split-DNS with the DNS-forwarder in pfSense:

    If you have problems with FTP and NAT:

    My "personal solution" to ftp-problems:
    quote= http://forum.pfsense.org/index.php/topic,10844.msg60345.html#msg60345
    1: Disable the ftp-helper on all interfaces.
    2: Define a port-range on your ftp-server for the data-transfer.
    3: forward port 21 and your data-transfer-range to your server. You can do that for multiple WANs.

    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).

    Traffic is filtered on the Interface on which traffic comes in.
    So traffic comming in on the LAN-Interface will only be processed by the rules you define on the LAN tab.

    If you have a private subnet on your WAN: uncheck the "Block private networks" checkbox on your WAN-config page.

    Currently the Trafficshaper only works between 2 Interfaces. (not with MultiWAN)

    Virtual IP's:
    A Service cannot bind to an Proxy-ARP VIP. (Services on pfSense) use for that CARP instead.

    You can NOT ping Proxy ARP VIP's
    Use CARP VIP's instead.

    A description of what the differences between the 3 types of VIPs are:



    If you want to force your clients to send their traffic over the VPN you need to set some custom options:
    Please read the following thread for more infos:

    If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
    you need to have a rule above your default rule (which has as gateway the loadbalancer)
    with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

    The config files for the OpenVPN servers and clients are saved in the path /var/etc/

    You cannot access windows shares via the "My network places" because windows shares work with UDP-broadcasts.
    The VPN is routed and will block broadcasts.
    If you want to access a windows share you have to access it directly by IP
    ie: start–>run: \IPofServer

    General Stuff:
    If you want to make use of WANx for a service on pfSense:

    You need a static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>. All services running at the pfSense directly (like ipsec, a proxy, dnsforwarder,…) only follow the routingtable definitions.</gateway-of-wan2></remote-tunnel-endpoint-ip>

    ~~To access an ADSL-Modem in bridge mode use this guide:

    pfSense is not Linux but FreeBSD

    If you really HAVE to use ifconfig aliases on an interface here is a small howto:

  • Hardware: Before buying it, check the supported hardware page

    Network cards: Use Intel server cards where possible

  • You forgot one:

    YOU CAN NOT INSTALL PACKAGES on an IMBEDDED Installation - or at least there is NO SUPPORT to do such a thing!



  • Better?


    If you want to use packages you need to use the full version –> install to a HD. Alternatively you can use a Microdrive (Harddisk in CF format).


    If you want to use packages you need to use the full version –> install to a HD. Alternatively you can use a Microdrive (Harddisk in CF format).

  • @GruensFroeschli:



    If you want to use packages you need to use the full version –> install to a HD. Alternatively you can use a Microdrive (Harddisk in CF format).


    If you want to use packages you need to use the full version –> install to a HD. Alternatively you can use a Microdrive (Harddisk in CF format).

    definitely more succinct.  :)


  • fantastic post!

  • make this threat sticky….. ::) :o ;D :D

    is great !!!!!

  • What do the checkboxes mean in the rules and NAT tabs - enable rule or disable rule?  Possible addition to the FAQ?

  • The checkboxes in the rule lists are just for deleting or changing the order.  (Hover over the bottom-most "X" button or the arrow buttons to see tooltip about it).

  • Thanks for your post!!!It's useful for me!!!

Log in to reply