Configuration

Most pfSense® software configuration is performed using the web-based GUI. There are a few tasks that may also be performed from the console, whether it be a monitor and keyboard, over a serial port, or via SSH.

Connecting to the GUI

To reach the GUI, follow this basic procedure:

  • Connect a client computer to the same network as the LAN interface of the firewall. This computer may be directly connected with a network cable or connected to the same switch as the LAN interface of the firewall.

    By default, the LAN IP address of a new installation of pfSense software is 192.168.1.1 with a /24 mask (255.255.255.0), and there is also a DHCP server running. If a client computer is set to use DHCP, it should obtain an address in the LAN subnet automatically.

  • On the client computer, open a web browser such as Firefox, Safari, or Chrome and navigate to https://192.168.1.1.

    The GUI listens on HTTPS by default, but if the browser attempts to connect using HTTP, it will be redirect by the firewall to the HTTPS port instead.

  • Enter the default credentials in the login page:

    username

    admin

    password

    pfsense

In some cases additional steps may be necessary before the client computer can reach the GUI.

Warning

If the default LAN subnet conflicts with the WAN subnet, the LAN subnet must be changed before connecting it to the rest of the network. Attempting to access the GUI in this situation is unpredictable and unlikely to work until the conflict is resolved.

The LAN IP address may be changed and DHCP may be disabled using the console:

  • Open the console (VGA, serial, or using SSH from another interface)

  • Choose option 2 from the console menu

  • Enter the new LAN IP address, subnet mask, and specify whether or not to enable DHCP.

  • Enter the starting and ending address of the DHCP pool if DHCP is enabled. This can be any range inside the given subnet.

Note

When assigning a new LAN IP address, it cannot be in the same subnet as the WAN or any other active interface. If there are other devices already present on the LAN subnet, it also cannot be set to the same IP address as an existing host.

If the DHCP server on the firewall is disabled, client computers on LAN must have a statically configured IP address in the LAN subnet, such as 192.168.1.5, with a subnet mask that matches the one given to the firewall, such as 255.255.255.0.