Getty Images

Tutorial

How to use pfSense: Use cases and initial configurations

Open source firewall and routing software pfSense offers a compelling mix of capabilities that can work for organizations large and small.

Damon Garn
By
Published: 11 Feb 2025

PfSense, a FreeBSD distribution that has been around for more than 20 years, offers organizations of any size a versatile suite of routing and firewall capabilities.

The free, open source software comes in two editions: Community Edition and pfSense Plus. CE is updated regularly with new features and is sufficient for organizations that can rely on documentation and the user community for general configurations. Consider the commercial version, pfSense Plus, if your company needs additional support or enhanced enterprise-class features.

Let's examine how to use pfSense in your organization. This article examines pfSense's primary features, as well as lists installation and initial configuration options. PfSense is an extensive distribution with many services, so use the documentation links to drill down to essential settings.

PfSense use cases

Some of pfSense's success is tied to its long list of capabilities. PfSense devices are in small and large business networks, as well as some home environments. Its flexibility makes it a compelling addition to any network.

PfSense's primary features include the following:

  • Routing.
  • Network address translation.
  • Firewall.
  • Load balancing.
  • VPN support.
  • Dynamic Host Configuration Protocol (DHCP) server.
  • DNS name resolution.
  • Wireless access point management.

In addition to its core capabilities for security and network practitioners, pfSense is a great learning tool for those entering the network management career path. When combined with open source Linux VMs, you can create and manage a comprehensive network environment with virtualization apps, such as Microsoft Hyper-V or Oracle VirtualBox.

Deployment requirements

PfSense can be deployed in a variety of ways. Provision it on modern bare-metal devices, legacy hardware or VMs. PfSense also offers dedicated hardware.

Bare metal

PfSense requires only modest hardware requirements. Provide the following minimum hardware specifications on a dedicated physical machine or VM:

  • AMD64 64-bit CPU -- works with Intel CPUs.
  • 1 GB of RAM.
  • 8 GB of storage space.
  • One or more network interface cards.
  • Bootable USB or DVD drive for installation.

You might need to allocate additional memory or storage space to support some features. Make sure the network components do not become a bottleneck.

Dedicated appliance

The pfSense project offers a suite of Netgate appliances that are fully compatible with the distribution.

VMs

Virtualizing your pfSense installation is similar to other OSes. Download the installer, configure networking and create the VM. Finally, install the OS, and configure its features. Here are the steps:

  1. Download the ISO.
  2. Launch VMware vSphere/ESXi, Microsoft Hyper-V or another virtualization platform.
  3. Create virtual switches to provide connectivity between the guest OS (pfSense) and the host OS.
  4. Create a VM with the minimum specifications defined above.
  5. Indicate you will install the OS from the ISO in the virtualization software.
  6. Before starting the VM, turn off "enable Secure Boot."
  7. Start the VM from the ISO, and follow the installation prompts.

Deployments on other virtualization platforms, such as VirtualBox, are typically successful.

When learning how to use pfSense, check the community's extensions and plugins if the core functionality doesn't meet your needs. You might find additional capabilities there. Browse the available packages using the built-in package manager found in the standard pfSense web interface.

Initial configurations

PfSense includes two management interfaces. The most basic is a CLI menu of common basic settings. The screen also displays the current interface IP address information. Be careful to secure this menu. It offers users the ability to reset the admin password for the webConfigurator configuration tool.

Screenshot of the CLI admin interface in pfSense
The CLI admin interface

The webConfigurator tool enables users to administer pfSense. It offers extensive menus, configuration interfaces, monitoring, documentation and more. Begin by authenticating.

Screenshot of webConfigurator interface in pfSense
Authenticate to the webConfigurator interface.

You have many options from here. One of the first administrative tasks is to set up pfSense's interfaces to support its routing and firewall functionality. Define IP address and security settings for each interface.

Screenshot of configuring network interfaces in pfSense
Configure each network interface on the pfSense device.

You're also likely to configure any custom inbound and outbound firewall rules for services found on either side of the router.

Screenshot of defining firewall rules in pfSense
Define inbound and outbound firewall rules.

PfSense offers many network services, including DHCP management and DNS forwarding. It can even act as a Network Time Protocol device, and it supports basic DHCP pool options, client reservations and address relays.

Screenshot of configuring pfSense as a DHCP server
Configure pfSense as a DHCP server.
Screenshot of DHCP address reservations in pfSense
The pfSense DHCP service includes DHCP address reservations.

Configure your pfSense device as a VPN endpoint to support remote clients or router-to-router encryption between remote offices.

Screenshot of the OpenVPN option in pfSense
PfSense supports several VPN options, including OpenVPN.

Monitoring is a critical aspect of security and device management. PfSense's built-in monitoring and diagnostic tools identify bottlenecks, failing services, misconfigurations and more.

Screenshot of monitoring tools in pfSense
PfSense includes multiple monitoring tools.

PfSense also offers pfTop -- its version of Linux's top utility, which highlights processor and memory workloads on a per-process basis. It's a staple of Linux administrators everywhere, so it's nice to see it included in this distribution.

Screenshot of the pfTop utility in pfSense
PfSense includes the pfTop utility for performance monitoring and troubleshooting.

PfSense has far too many features to cover them all here, but suffice it to say that nearly any network security capability you might need is available. PfSense's extensive plugin library adds even more functionality.

Documentation

PfSense's active community has generated a comprehensive documentation library that lets you quickly find the steps necessary to support almost any deployment. The official documentation is well organized and searchable. It also offers Netgate support plans for organizations that need responsive vendor support and answers to complex issues or configurations. Support, via subscription, is available 24/7 worldwide.

PfSense best practices

PfSense's best practices mirror those for any deployment. When learning how to use pfSense, keep the software patched, disable services you don't need, use monitoring to watch for security events and enforce strong authentication for administrators.

The following are a few specifics to keep in mind:

Carefully secure your pfSense devices, whether physical or virtual, to maintain their integrity.

PfSense is a compelling choice for routing, firewall and other network management functions. It can be installed on bare-metal and virtualized platforms, and its active community- and enterprise-level support options make it attractive to organizations of any size.

Begin working with pfSense today to learn how this feature-rich open source distribution can improve your organization's network security.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget Editorial, The New Stack and CompTIA Blogs.

Dig Deeper on Network security