Posted on

How to Install pfSense® CE 2.4 on the Vault

Last Updated On January 10, 2019
You are here:

Note: pfSense® CE is open source software developed for the benefit of the community.  If you are using pfSense® CE with the Vault, please consider supporting the pfSense project.  https://www.pfsense.org/get-involved

Note: pfSense® CE will require hardware encryption support, specifically Intel AES-NI, starting with version 2.5. This is announced at https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html. The Vault FW1 and FW2 (J1800 based CPU) series DO NOT support AES-NI. The Vault FW2B, FW4A, FW4B and FW6 series DO support AES-NI.  


Note: pfSense® CE version 2.4.4 is now available. A previous article was published at this link regarding an important issue and workaround in pfSense® CE version 2.4.4 due to the fact that it is based on FreeBSD 11.2 . Both of these issues can be resolved by setting BIOS to UEFI mode on the Vault. This article supersedes that one and following the instructions below eliminates the need to refer to the previous article.

There are two ways to install pfSense® CE on the Vault.  Because the Vault has a COM (serial console) port, users can install pfSense® CE using only the COM port, OR, users can install pfSense® CE the more ‘traditional’ way by using a VGA or HDMI monitor, along with a USB keyboard.

  • The easiest way to install pfSense® CE that is most likely to be error-free is with a VGA (FW1, FW2, FW4A series) or HDMI (FW2B, FW4B, FW6 series) monitor and a USB keyboard, using the VGA version of the installer
  • If the user chooses to install pfSense® CE with the serial console port on the Vault, the user MUST use the serial version of the installer.
  • If the user encounters an issue whereby the installation appears to stop and not proceed, please double check to ensure you’re using the correct version of the pfSense® CE installer with your chosen installation method.

Note: If installing using a VGA monitor and USB keyboard on a Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and a USB keyboard with a plug that is relatively skinny.  The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Install pfSense® CE

Obtain the Installation Image and Uncompress it

The pfSense® CE installation image (IMG) can be downloaded from https://www.pfsense.org/download/. The same image can be used to install pfSense® CE on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Version”, “Architecture”, “Installer”, and “Console.”  The proper selections are as follows for installing the Vault using a VGA monitor and USB Keyboard:

Version: The latest available (2.4.4 as of this edit)

Architecture: AMD64 (64 bit)

Console: VGA or Serial as needed (see note above; VGA or HDMI monitor = VGA installer; COM port  = serial installer)

Installer: USB Memstick Installer

Your download should begin immediately and when it is completed you should have a compressed IMG file (an example file name is: pfSense-CE-memstick-2.4.4-RELEASE-amd64.img.gz) downloaded that is ~300MB in size.

Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” to decompress the file.  The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.

Download software to transfer the installation image to a USB drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Apple OSX. See this link for  detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Install the new image

Note: The installation procedures outlined below are captured from a sample install using the ‘memstick’ installer on a ‘serial’ console.  As such, installations using the ‘VGA’ console may look slightly different.  The steps are the same.

  • Verify that the Vault is powered down
  • Verify that the VGA monitor or serial console is connected
  • Verify that the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
  • While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.
  • Select “Advanced” tab
  • Select “CSM Configuration”
  • Select “Boot option filter”
  • Select “UEFI only”
  • Press “F4” to save and exit the BIOS
  • Power off the unit and insert the USB install drive into the other USB port on the Vault
  • While powering up the Vault again, press “F11” key and verify that it boots to the BIOS boot options screen.
    • NOTE: If using the serial installer, F11 commonly will not show the boot options menu.  In this case, use the “DEL” key to enter the BIOS.  In the BIOS, a specific boot device can be chosen from the last, or rightmost tab.
  • Select the USB drive UEFI partition to boot from
  • Verify that the Vault boots and begins the installation process
  • Follow the on screen installation prompts to install pfSense® CE

 pfSense® CE is based on FreeBSD. One of the options when installing is to select the filesystem type. FreeBSD now has the option to install the ZFS filesystem. Protectli recommends installing ZFS as the type of filesystem, particularly to guard against data corruption. See this link for more information on ZFS.

  • Select “Install”
  • Select Keyboard options
  • At the filesytem prompt, select “Auto (ZFS)”
  • Select “Install”
  • At the ZFS configuration prompt, select “Stripe”
  • Select “ada0 SSD” (hit the space bar)
  • Continue the installation and verify that it completes successfully
  • Verify that the installation continues and the “Reboot” prompt appears
  • Reboot the system
  • Verify the “sync” messages are displayed as the unit reboots and the screen goes blank
  • Immediately remove the USB drive from the unit and verify that the unit boots to pfSense menu

For more information, see the procedures presented on the pfSense® CE website (Performing a Full Install ISO, Memstick image), here: https://doc.pfsense.org/index.php/Installing_pfSense#Performing_a_Full_Install_.28ISO.2C_Memstick.29.

Once rebooted, the Vault should be up and running. Follow any on screen instructions for logging in to pfSense® CE.  If you experience any issues, please feel free to reach out: support@protectli.com.

System Compatibility

The table below shows the latest tested release of pfSense® CE on each of the Vaults.

VaultLatest Version Tested
FW1pfSense® CE 2.4.4
FW2pfSense® CE 2.4.4
FW2BpfSense® CE 2.4.4
FW4ApfSense® CE 2.4.4
FW4BpfSense® CE 2.4.4
FW6ApfSense® CE 2.4.4
FW6BpfSense® CE 2.4.4
FW6CpfSense® CE 2.4.4