The first time a user logs into pfSense, the firewall presents the Setup Wizard automatically. The first page of the wizard is shown in Figure Setup Wizard Starting Screen.
Click Next to start the configuration process using the wizard.
Using the setup wizard is optional. Click the pfSense logo at the top left of the page to exit the wizard at any time.
General Information Screen¶
The next screen (Figure General Information Screen) configures the name of this firewall, the domain in which it resides, and the DNS servers for the firewall.
The Hostname can be nearly anything, but must start with a letter and it may contain only letters, numbers, or a hyphen.
Enter a Domain, e.g.
|Primary/Secondary DNS Server:|
The IP address of the Primary DNS Server and Secondary DNS Server may be filled in, if required and if they are known.
These DNS servers may be left blank if the DNS Resolver will remain active using its default settings. The default pfSense configuration has the DNS Resolver active in resolver mode (not forwarding mode), when set this way, the DNS Resolver does not need forwarding DNS servers as it will communicate directly with Root DNS servers and other authoritative DNS servers. To force the firewall to use these configured DNS servers, enable forwarding mode in the DNS Resolver or use the DNS Forwarder.
If this firewall has a dynamic WAN type such as DHCP, PPTP or PPPoE these may be automatically assigned by the ISP and can be left blank.
When checked, a dynamic WAN ISP can supply DNS servers which override those set manually. To force the use of only the DNS servers configured manually, uncheck this option.
For more information on configuring the DNS Resolver, see DNS Resolver
Click Next to continue.
NTP and Time Zone Configuration¶
The next screen (Figure NTP and Time Zone Setup Screen) has time-related options.
|Time server hostname:|
A Network Time Protocol (NTP) server hostname or IP
address. Unless a specific NTP server is required, such as one on LAN, the
best practice is to leave the Time server hostname at the default
To utilize multiple time servers, add them in the same box, separating each server by a space. For example, to use three NTP servers from the pool, enter:
0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org
This numbering is specific to how
Choose a geographically named zone which best matches location of this firewall, or any other desired zone.
Click Next to continue.
The next page of the wizard configures the WAN interface of the firewall. This is the external network facing the ISP or upstream router, so the wizard offers configuration choices to support several common ISP connection types.
The Selected Type (Figure WAN Configuration) must match the type of WAN required by the ISP, or whatever the previous firewall or router was configured to use. Possible choices are Static, DHCP, PPPoE, and PPTP. The default choice is DHCP due to the fact that it is the most common, and for the majority of cases this setting allows a firewall to “Just Work” without additional configuration. If the WAN type is not known, or specific settings for the WAN are not known, this information must be obtained from the ISP. If the required WAN type is not available in the wizard, or to read more information about the different WAN types, see Interface Types and Configuration.
If the WAN interface is wireless, additional options will be presented by the wizard which are not covered during this walkthrough of the standard Setup Wizard. Refer to Wireless, which has a section on Wireless WAN for additional information. If any of the options are unclear, skip the WAN setup for now, and then perform the wireless configuration afterward.
This field, shown in Figure General WAN Configuration, changes the MAC address used on the WAN network interface. This is also known as “spoofing” the MAC address.
The problems alleviated by spoofing a MAC address are typically temporary and easily worked around. The best course of action is to maintain the hardware’s original MAC address, resorting to spoofing only when absolutely necessary.
Changing the MAC address can be useful when replacing an existing piece of network equipment. Certain ISPs, primarily Cable providers, will not work properly if a new MAC address is encountered. Some Internet providers require power cycling the modem, others require registering the new address over the phone. Additionally, if this WAN connection is on a network segment with other systems that locate it via ARP, changing the MAC to match and older piece of equipment may also help ease the transition, rather than having to clear ARP caches or update static ARP entries.
If this firewall will ever be used as part of a High Availability Cluster, do not spoof the MAC address.
|Maximum Transmission Unit (MTU):|
The MTU field, shown in Figure General WAN Configuration, can typically be left blank, but can be changed when necessary. Some situations may call for a lower MTU to ensure packets are sized appropriately for an Internet connection. In most cases, the default assumed values for the WAN connection type will work properly.
|Maximum Segment Size (MSS):|
MSS, shown in Figure General WAN Configuration can typically be left blank, but can be changed when necessary. This field enables MSS clamping, which ensures TCP packet sizes remain adequately small for a particular Internet connection.
|Static IP Configuration:|
|If the “Static” choice for the WAN type is selected, the IP address, Subnet Mask, and Upstream Gateway must all be filled in (Figure Static IP Settings). This information must be obtained from the ISP or whoever controls the network on the WAN side of this firewall. The IP Address and Upstream Gateway must both reside in the same Subnet.|
|DHCP Hostname:||This field (Figure DHCP Hostname Setting) is only required by a few ISPs. This value is sent along with the DHCP request to obtain a WAN IP address. If the value for this field is unknown, try leaving it blank unless directed otherwise by the ISP.|
When using the PPPoE (Point-to-Point Protocol over Ethernet) WAN type (Figure PPPoE Configuration), The PPPoE Username and PPPoE Password fields are required, at a minimum. The values for these fields are determined by the ISP.
The PPTP (Point-to-Point Tunneling Protocol) WAN type (Figure PPTP WAN Configuration) is for ISPs that require a PPTP login, not for connecting to a remote PPTP VPN. These settings, much like the PPPoE settings, will be provided by the ISP. A few additional options are required:
These last two options, seen in Figure Built-in Ingress Filtering Options, are useful for preventing invalid traffic from entering the network protected by this firewall, also known as “Ingress Filtering”.
|Block RFC 1918 Private Networks:|
|Blocks connections sourced from registered private networks such as 192.168.x.x and 10.x.x.x attempting to enter the WAN interface . A full list of these networks is in Private IP Addresses.|
|Block Bogon Networks:|
|When active, the firewall blocks traffic from entering if it is sourced from reserved or unassigned IP space that should not be in use. The list of bogon networks is updated periodically in the background, and requires no manual maintenance. Bogon networks are further explained in Block Bogon Networks.|
Click Next to continue once the WAN settings have been filled in.
LAN Interface Configuration¶
This page of the wizard configures the LAN IP Address and Subnet Mask (Figure LAN Configuration).
If this firewall will not connect to any other network via VPN, the default
192.168.1.0/24 network may be acceptable. If this network must be connected
to another network, including via VPN from remote locations, choose a private IP
address range much more obscure than the common default of
IP space within the
172.16.0.0/12 RFC 1918 private address block is
generally the least frequently used, so choose something between
172.31.x.x to help avoid VPN connectivity difficulties.
If the LAN is
192.168.1.x and a remote client is at a wireless hotspot using
192.168.1.x (very common), the client will not be able to communicate across
the VPN. In that case,
192.168.1.x is the local network for the client at
the hotspot, not the remote network over the VPN.
If the LAN IP Address must be changed, enter it here along with a new Subnet Mask. If these settings are changed, the IP address of the computer used to complete the wizard must also be changed if it is connected through the LAN. Release/renew its DHCP lease, or perform a “Repair” or “Diagnose” on the network interface when finished with the setup wizard.
Click Next to continue.
Set admin password¶
Next, change the administrative password for the WebGUI as shown in Figure Change Administrative Password. The best practice is to use a strong and secure password, but no restrictions are automatically enforced. Enter the password in the Admin Password and confirmation box to be sure that has been entered correctly.
Click Next to continue.
Do not leave the password set to the default
access to the firewall administration via WebGUI or SSH is exposed to the
Internet, intentionally or accidentally, the firewall could easily be
compromised if it still uses the default password.
Completing the Setup Wizard¶
That completes the setup wizard configuration. Click Reload (Figure Reload pfSense WebGUI) and the WebGUI will apply the settings from the wizard and reload services changed by the wizard.
If the LAN IP address was changed in the wizard and the wizard was run from the LAN, adjust the client computer’s IP address accordingly after clicking Reload.
When prompted to login again, enter the new password. The username remains
At this point the firewall will have basic connectivity to the Internet via the WAN and clients on the LAN side will be able to reach Internet sites through this firewall.
If at any time this initial configuration must be repeated, revisit the wizard at System > Setup Wizard from within the WebGUI.