> Advanced Professional Guide — pfSense 2.7+ · FreeBSD · OpenVPN · IPsec · VLAN · HAProxy · Snort / Suricata

Table of Contents

  1. Hardware & Environment Requirements
  2. Installing pfSense
  3. Initial configuration & interfaces
  4. Advanced firewall rules
  5. VLAN & network segmentation
  6. VPN — OpenVPN & IPsec
  7. IDS/IPS — Snort & Suricata
  8. High availability (CARP)
  9. Monitoring & alerts
  10. Best practices & hardening

1. Hardware & environment prerequisites

pfSense is based on FreeBSD and requires dedicated or virtualized hardware for optimal performance in production.

Component Minimum Recommended (Production) Notes
CPU 64-bit, 1 GHz Intel AES-NI, 4+ cores AES-NI required for high-performance VPN
RAM 1 GB 8 GB+ 16 GB if IDS/IPS enabled
Storage 8 GB SSD 64 GB SSD NVMe Logs & resource-intensive packages
Network interfaces 2 NICs 4+ Intel/Broadcom NICs Avoid Realtek NICs in production
Connectivity 100 Mbps 1–10 Gbps Depending on traffic volume

> ℹ️ Info — For virtualization (VMware ESXi / Proxmox), enable NIC passthrough (SR-IOV) for near-bare-metal performance. Avoid virtual NICs for production.

INTERNET RÉSEAU INTERNE Internet WAN MODEM/ONT FAI pfSense ● WAN em0 ● LAN em1 ● DMZ em2 ● MGMT em3 802.1Q VLAN Trunk 🔥 Firewall / NAT / VPN SWITCH L2/L3 Managed LAN CLIENTS LAN 192.168.1.0/24 VLAN 10 DMZ 10.0.10.0/24 VLAN 20 MGMT OOB 172.16.0.0/24 VLAN 99 VPN CLIENTS OpenVPN 10.8.0.0/24 SITE DISTANT IPsec S2S 192.168.2.0/24 ── LAN interne ── DMZ ── Management - - VPN tunnel - - Internet (non-trusted) *Fig. 1.1 — Complete network architecture with pfSense as a border firewall, VLAN segmentation, and VPN*

2. Installing pfSense

Download the ISO image from netgate.com and create bootable media.

Installation steps

  1. Download the official ISO from netgate.com/pfsense-plus-software (CE or Plus version depending on license)
  2. Create a bootable USB drive with Balena Etcher or Rufus (UEFI recommended)
  3. Boot from the USB drive — select Install pfSense from the menu
  4. Choose the partitioning mode: Auto ZFS recommended for redundancy
  5. Select the target disk — confirm data destruction
  6. Reboot after installation and remove the media

> ⚠️ Warning — Never install pfSense on the same disk as other systems. Partitioning completely erases the target disk.

FLUX D'INSTALLATION PFSENSE 01 Télécharger ISO netgate.com 02 Créer USB Boot Balena Etcher 03 Boot sur USB UEFI/Legacy 04 Partitionnement Auto ZFS ✓ Recommandé 05 Sélect. disque ⚠ Données effacées 06 Reboot ✓ Retirer USB 💡 ZFS offre la redondance, les snapshots et la vérification d'intégrité automatique vs UFS *Fig. 2.1 — pfSense installation flow in 6 steps — step 4 (ZFS) is critical*

3. Initial configuration & interfaces

On first boot, pfSense launches a wizard accessible via the WebGUI at https://192.168.1.1.

Initial WebGUI access

URL: https://192.168.1.1
Login: admin
Password: pfsense

⚠ Change the password immediately via System > User Manager

Interface assignment

Navigate to Interfaces > Assignments. Identify each physical interface via its MAC address or via the built-in cable disconnect test.

Interface Role Recommended address
WAN ISP/Internet connection DHCP or static ISP IP
LAN Main internal network 192.168.1.1/24 (to be changed)
OPT1 DMZ / Exposed servers 10.0.10.1/24
OPT2 OOB management 172.16.0.1/24
INTERFACES > ASSIGNMENTS — PFSENSE pfSense WAN em0 DHCP / IP statique FAI LAN em1 192.168.1.1/24 OPT1 em2 10.0.10.1/24 (DMZ) OPT2 em3 172.16.0.1/24 (MGMT) INTERNET FAI / Modem LAN Postes / Serveurs DMZ Serveurs exposés MGMT Administration OOB WebGUI → https://192.168.1.1 · admin / pfsense *Fig. 3.1 — Assigning network interfaces in pfSense*

4. Advanced firewall rules

pfSense uses pf (Packet Filter FreeBSD) as its engine. Rules are applied top to bottom, with the first matching rule winning.

> 🚫 Critical — Never use the "any to any" rule in production. Always define named aliases and rules per service.

Creating aliases

Alias: ADMIN_HOSTS
Type: Host(s)
IPs: 10.0.0.10, 10.0.0.11, 172.16.0.5

Alias: WEB_SERVICES
Type: Port(s)
Ports: 80, 443, 8443

Example of LAN → WAN rules

Action Proto Source Dest. Port Description
PASS TCP LAN net any 443 Outgoing HTTPS
PASS UDP LAN net DNS servers 53 Authorized DNS
PASS TCP/UDP ADMIN_HOSTS any any Full admin access
BLOCK any any any any Implicit deny-all
LOGIQUE DE TRAITEMENT DES RÈGLES PARE-FEU (TOP-DOWN) 📦 Paquet entrant PASS Règle 1 — LAN → HTTPS (443) TCP · Source: LAN net · Dest: any · Port: 443 ✓ AUTORISÉ pas de match PASS Règle 2 — LAN → DNS (53) UDP · Source: LAN net · Dest: DNS servers · Port: 53 pas de match BLOCK Règle implicite — Deny All any · Source: any · Dest: any · Port: any ✗ BLOQUÉ ⚡ Première règle qui correspond = décision finale. L'ordre des règles est CRITIQUE. *Fig. 4.1 — Top-down processing logic of pfSense rules*

5. VLAN & network segmentation

Segmentation via VLAN (802.1Q) is essential for isolating traffic and limiting the impact of a compromise.

VLAN configuration on pfSense

  1. Navigate to Interfaces > VLANs — Click Add
  2. Select the parent interface (e.g., igb1) and enter the VLAN ID (e.g., 20)
  3. Assign the VLAN created in Interfaces > Assignments
  4. Enable the interface and configure its IP address
  5. Create inter-VLAN firewall rules according to the security policy

> ℹ️ Info — Configure the upstream switch in trunk mode on the port connected to pfSense. Use a dedicated native VLAN (non-1) for management.

SEGMENTATION VLAN 802.1Q — PFSENSE pfSense Interface : em1 (trunk) VLAN 10 · VLAN 20 · VLAN 30 · VLAN 99 Inter-VLAN routing + Firewall 802.1Q encapsulation active TRUNK Switch L2 Manageable Port upstream = TRUNK · Ports clients = ACCESS VLAN 10 Utilisateurs / Postes 192.168.10.0/24 VLAN 20 Serveurs / DMZ 10.0.20.0/24 VLAN 30 IoT / Appareils 10.0.30.0/24 VLAN 99 Management OOB 172.16.99.0/24 ⚠ Isolation totale inter-VLAN sauf règles explicites *Fig. 5.1 — Segmentation into 4 VLANs with 802.1Q trunk to pfSense*

6. VPN — OpenVPN & IPsec

pfSense natively supports OpenVPN (remote access) and IPsec (site-to-site).

OpenVPN — Secure remote access

  1. Create an internal CA: System > Cert. Manager > CAs > Add
  2. Generate a server certificate: System > Cert. Manager > Certificates
  3. Navigate to VPN > OpenVPN > Servers > Add
  4. Configure: Protocol UDP, port 1194, TLS Authentication enabled
  5. Choose the tunnel network (e.g., 10.8.0.0/24) and push the LAN routes
  6. Create the WAN rule: allow incoming UDP 1194
  7. Export the client configurations via the openvpn-client-export package
# Recommended secure settings
tls-version-min 1.2
cipher AES-256-GCM
auth SHA256
tls-auth ta.key 0
remote-cert-tls server

IPsec — Site-to-site tunnel (IKEv2)

Phase Setting Recommended value
Phase 1 IKE Version IKEv2
Phase 1 Encryption AES-256
Phase 1 Hash SHA-256
Phase 1 DH Group 14 (2048-bit)
Phase 2 Protocol ESP
Phase 2 Encryption AES-256-GCM
Phase 2 PFS Group 14
VPN — OPENVPN (ACCÈS DISTANT) + IPSEC (SITE-À-SITE) OPENVPN — ACCÈS DISTANT Client Distant OpenVPN Client Tunnel: 10.8.0.2 ☁ Internet UDP 1194 pfSense OpenVPN Server TLS + AES-256-GCM LAN interne 192.168.1.0/24 🔐 Chiffré 🔐 Chiffré IPSEC — SITE-À-SITE (IKEv2) Site A — HQ pfSense Master LAN: 192.168.1.0/24 WAN: 203.0.113.1 ☁ Internet IKEv2 · ESP · AES-256 · PFS G14 Site B — Agence pfSense / Fortigate LAN: 192.168.2.0/24 WAN: 198.51.100.1 💡 OpenVPN = mobilité individuelle · IPsec S2S = connexion permanente entre sites *Fig. 6.1 — VPN architecture: OpenVPN (remote access) and site-to-site IPsec in parallel*

7. IDS/IPS — Snort & Suricata

pfSense integrates Snort and Suricata as IDS/IPS packages. Suricata is preferred for its multi-thread performance.

Installing Suricata

  1. Navigate to System > Package Manager > Available Packages
  2. Search for and install Suricata
  3. Go to Services > Suricata > Interfaces — Add WAN
  4. Enable rule sources: AND Open, Snort Community Rules
  5. Configure the mode: IDS (alert) first, then IPS (block) after validation
  6. Enable false positive suppression via suppression lists

> ⚠️ Warning — Always start in IDS only mode to analyze false positives before enabling blocking.

PIPELINE IDS/IPS — SURICATA SUR PFSENSE Trafic WAN Entrant/Sortant Suricata Engine Analyse deep packet ET Open Rules Snort Community Rules Multi-thread · AF_PACKET Signature matchée ? NON PASS ✓ Trafic autorisé OUI Mode IDS Alerte + Log uniquement Mode IPS DROP + Alerte + Log Export Syslog SIEM / Graylog / ELK *Fig. 7.1 — Suricata pipeline: IDS (alert) vs IPS (block)*

8. High availability (CARP)

pfSense implements high availability via CARP and pfsync for state synchronization between active and passive nodes.

HA Configuration

  1. Configure a dedicated pfsync interface (isolated synchronization network)
  2. On the Master: System > High Avail. Sync — enable pfsync, configure the peer IP
  3. Create CARP VIPs on each interface (WAN, LAN, etc.)
  4. Configure rules and services to use VIPs as addresses
  5. Test failover by stopping the Master and verifying automatic failover

> ✅ Good to know — With HA configured correctly, failover time is less than 1 second thanks to pfsync synchronization.

HAUTE DISPONIBILITÉ — CARP + PFSYNC ☁ Internet FAI VIP WAN CARP — 203.0.113.100 pfSense MASTER ● ACTIF WAN: 203.0.113.1 LAN: 192.168.1.1 CARP Priority: 100 pfSense BACKUP ○ STANDBY WAN: 203.0.113.2 LAN: 192.168.1.2 CARP Priority: 90 pfsync Sync états + config VIP LAN CARP — 192.168.1.254 ⚡ Failover < 1 sec si Master tombe *Fig. 8.1 — HA architecture with shared CARP VIPs and pfsync*

9. Monitoring & alerts

Good monitoring combines internal pfSense logs, SNMP/syslog export, and external tools.

External syslog configuration

System &gt; Advanced &gt; Notifications

Remote Log Servers: 10.0.10.50:514
Protocol: UDP
Log contents: Firewall Events, DHCP, VPN, System

SNMP for network monitoring

  1. Install the Net-SNMP package via the manager.
  2. Configure the SNMP v3 community with authentication (avoid v1/v2c).
  3. Restrict SNMP access to monitoring IPs only.
  4. Integrate into Zabbix or LibreNMS with pfSense OIDs.
STACK DE SUPERVISION — PFSENSE pfSense Syslog UDP 514 SNMP v3 NetFlow / IPFIX RRDtool intégré Graylog / ELK Centralisation logs Zabbix / LibreNMS Supervision SNMP Grafana Dashboards métriques ntopng Analyse de flux Alertes : Email / Slack / PagerDuty Seuils CPU >80% · Down interface · Failed auth 💡 Rétention recommandée : 90 jours minimum pour conformité (PCI-DSS, ISO 27001) *Fig. 9.1 — pfSense monitoring ecosystem*

10. Best practices & hardening

Area Action Priority
Authentication MFA on WebGUI (TOTP) 🔴 CRITICAL
Access WebGUI only on LAN/MGMT interface 🔴 CRITICAL
Protocols Disable HTTP, enforce HTTPS + HSTS 🔴 CRITICAL
SSH Public key only, non-standard port 🟠 HIGH
Updates Regular patches, snapshots before updates 🟠 HIGH
Logs External syslog export + min. 90-day retention 🟠 HIGH
Backup Daily automated encrypted config export 🟡 STANDARD
DNS DNS Resolver with DNSSEC enabled 🟡 STANDARD

> 🔐 Critical — Never expose the WebGUI on the WAN. If remote access is necessary, always use the VPN.

RÉDUCTION DE LA SURFACE D'ATTAQUE — PFSENSE HARDENING 🛡 pfSense Hardened ⛔ WebGUI non exposée sur WAN 🔐 MFA (TOTP) WebGUI 🔒 HTTPS + HSTS forcé 🔑 SSH — clé pub only 💾 Backup config chiffré 📋 Syslog externe 90j 🔄 MAJ régulières + snapshots 🌐 DNSSEC activé Chaque mesure réduit la surface d'attaque — appliquer en priorité les éléments CRITIQUES (rouge) *Fig. 10.1 — pfSense hardening measures — reducing the attack surface*

pfSense™ is a registered trademark of Netgate. This tutorial is provided for educational purposes.