I assume you get installation setup on the machine done easly only thing to note is that i use UFS and not ZFS for single drive. if you need help with general setup please view the video below from Lawrence Systems
https://youtu.be/fsdm5uc_LsU?si=s4NTje2e-IJq66dZ
To download the iso without signin or signup
https://atxfiles.netgate.com/mirror/downloads/
source found: https://forums.lawrencesystems.com/t/solved-download-pfsense-iso-without-account/22836/3Look at Primary Console.
If it is set to Serial, and your ipmi/iDrac is expecting VGA, the boot will "appear" to halt because the OS stopped sending text to the VGA port and started sending it to a Serial port that isn't connected to anything.
Set it to "Video" and uncheck "Secondary Console."
------------------
In the "Path to file to be edited" box, type: /boot/loader.conf.local
Click Load. (If the file is empty, that is fine).
background_fsck="NO" ,"Forces the disk check to happen before the system starts, so it doesn't fail later."
fsck_y_enable="YES" ,"Automatically says ""Yes"" to all repair questions so it doesn't wait for you."
kern.cam.boot_delay="10000" ,"Adds a 10-second pause to let your hardware ""settle"" during a cold boot."
hw.pci.re_enable_msi="1" ,Setting this to 1 tells the pfSense kernel: "If you see a PCI device with its interrupts disabled, don't just sit there—actively reach out and re-enable them."
vfs.root.mountfrom.options="rw,noatime" ,forcing it to mount as rw combined with the fsck_y_enable="YES" line ensures the system has the permission, noatime to reduce log-file "noise" on the disk.
Paste these lines into the box:
hw.pci.re_enable_msi="1"
kern.cam.boot_delay="10000"
vfs.root.mountfrom.options="rw,noatime"
background_fsck="NO"
fsck_y_enable="YES"
After that we want to update to the latest version as of writing its 2.8.1
Turn the option off if you had it on before.
Change the branch to the latest (2.8.1)
Turn the option off > Dashboard Check
Click save
Check so the branch is correct (2.8.1) and preform a full Update wait untin the machine is back online
if you dont have a direct connection to the "real" wan but rather do this after a NAT or for a virtual firewall inside your lab for the packets to flow out you need to disable Block private networks and loopback addresses
setup DHCP / Static depending on your setup
Now we want to harden the system a bit by default pfSense if good enough but i asume you want more :) i only want DNS, HTTPS/HTTP and NTP to go through this firewall so lets set that up together with pfBlocker and suricata
Set custom TCP port for access to the webui stops many since you also need to know the port but it doesent stop internal portscanners,
Turn the option off if you had it on before.
Turn on Console menu it will requre a password if your directly connected to the machine.
Make sure its NOT Enable
Click on ( + Add )
Name: Allowed_Web_Ports
Description: Allowed_Web_Ports
Type: Port(s)
Then you add the follow in the Port(s) section
80 - HTTP
443 - HTTPS
53 - DNS
123 - NTP
Click save
Click Apply changes
Click Add
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: TCP/UDP
Source: Network and then add you network eg 192.168.1.0 / 24
Destination: Any
Destination Port Range: in the Curstom feld add (Allowed_Web_Ports) that the alias we created before
Description: Allow specific web/DNS/NTP traffic (Alias)
Click save
Click Add
Action: Reject
Interface: LAN
Address Family: IPv4+IPv6
Protocol: Any
Source: Any
Destination: Any
Description: Default Outbound Deny
ALLWAYS KEEP RULE (Anti-Lockout Rule) otherwise you might lock yourself out from webui
Rules should be in the order from the top, there is 2 other rules delete them
Anti-Lockout Rule
Allow specific web/DNS/NTP traffic (Alias)
Default Outbound Deny
Add your DNS server here
Cloudflare: 1.1.1.1 ---- 1.0.0.1 (TLS: cloudflare-dns.com)
Google Public DNS: 8.8.8.8 ---- 8.8.4.4 (TLS: dns.google)
Quad9: 9.9.9.9 ---- 149.112.112.112 (TLS: dns.quad9.net)
AdGuard DNS: 94.140.14.14 ---- 94.140.15.15 (TLS: dns.adguard-dns.com)
Mullvad all DNS: 194.242.2.9 (TLS: all.dns.mullvad.net)
DNS Server Override Uncheck this box (this prevents your ISP from forcing their DNS on you)
DNS Resolution Behavior Select "Use local DNS (127.0.0.1), fall back to remote servers"
Turn DNS Query Forwarding on (DNS over TLS (DoT))
Install the following
pfBlockerNG-devel
suricata
The wizard should launch automatically the first time. If not, look for the "Wizard" tab.
(Step 2)
Inbound Interface: Select WAN
Outbound Interface: Select LAN. This prevents your internal devices from talking to known ads/malware/phishing sites.
DNSBL VIP: Leave this as the default (usually 10.10.10.1). This is a "fake" address to show a blank page when an ad is blocked.
DNSBL Mode: Select Unbound Python Mode
De-Duplication: Enable this
Kill States: Enable this
For IP Blocking: PRI1 (good stating point)
For DNS (Ads/Malware): StevenBlack or OISD lists
Select Force, then Update, and click Run
You should now see a new rule under (Anti-Lockout Rule) example (pfB_PRI1_v4 auto rule)
Here will be shown if you also setup geoip thats outside this guides scope
Check "Install Snort Community Rules" and "Install Emerging Threats Open Rules"
Save at the bottom, then go to the Updates tab and click Update to download the actual rule signatures.
+ Add button.
Enable: Check "Enable Suricata on this interface."
Interface: Select LAN
Description: Give it a name like "LAN_Security."
Block Offenders: Check this box (Otherwise it only "logs" and doesn't "stop" anything).
IPS Mode: This is where you pick Legacy vs Inline.
Search Method: Set this to Hyperscan
Click the Start (Green Play Button) under the "Actions" column.
BUT if you want to have it checked install snort and set that interface to wan so its a better split and also there is 2 ways of filtering, now we only set up IDS to start.
Darkstat or ntopng provides a real-time web interface showing exactly which device is talking to which IP address and how much data is moving.
Zeek <3