pfSense® CE on the Vault
Overview: Install pfSense® CE
pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/
Note: pfSense® CE is open source software developed for the benefit of the community. If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved
Note: pfSense® CE version 2.6.0 is now available. Protectli recommends using the latest released version.
Note: There is a bug that does not save keyboard localization if attempting to select a non-US keyboard map for console or SSH. See bug report here (link)
Verify Hardware Recommendations
pfSense® CE has good documentation regarding general hardware recommendations on their web site. See https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html to verify that the proper memory and storage is available for the intended application.
Install pfSense® CE
Obtain the Installation Image and Uncompress it
There are two ways to install pfSense® CE on the Vault. Because the Vault has a COM (serial console) port, users can install pfSense® CE using only the COM port, OR, users can install pfSense® CE the more ‘traditional’ way by using a VGA or HDMI monitor, along with a USB keyboard.
- The easiest way to install pfSense® CE that is most likely to be error-free is with a VGA (FW1, FW2, FW4A series) or HDMI (FW2B, FW4B, FW6, VP series) monitor and a USB keyboard, using the VGA version of the installer
- If the user chooses to install pfSense® CE with the serial console port on the Vault, the user MUST use the serial version of the installer.
- If the user encounters an issue whereby the installation appears to stop and not proceed, please double check to ensure you’re using the correct version of the pfSense® CE installer with your chosen installation method.
The pfSense® CE installation image (IMG) can be downloaded from https://www.pfsense.org/download/. The same image can be used to install pfSense® CE on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Version”, “Architecture”, “Installer”, and “Console.” The proper selections are as follows for installing the Vault using a VGA monitor and USB Keyboard:
Version: The latest available (2.6.0 as of this edit)
Architecture: AMD64 (64 bit)
Console: VGA or Serial as needed (see note above; VGA or HDMI monitor = VGA installer; COM port = serial installer)
Installer: USB Memstick Installer
Your download should begin immediately and when it is completed you should have a compressed IMG file (an example file name is: pfSense-CE-memstick-2.5.0-RELEASE-amd64.img.gz) downloaded that is ~800MB in size.
Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” on Windows to decompress the file. The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.
Burn the installation image to a USB drive
Note: When creating a bootable USB drive, all contents of said USB drive will be erased.
The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “balenaEtcher” on Mac OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or balenaEtcher.
Note: If installing using a VGA monitor and USB keyboard on a Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and a USB keyboard with a plug that is relatively skinny. The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.
Verify the BIOS mode
Note: There is an important issue and workaround in some versions of pfSense® CE version 2.4-2.5 due to the fact that it is based on FreeBSD 11.2-12.0. See this link. The issue affects the FW1, FW2, and FW4A platforms. See the BIOS Compatibility table at the bottom of this article. If UEFI is required, follow the steps below to set UEFI mode.
Note: If installing pfSense® CE to the FW4C with coreboot, VP2410 with coreboot, VP2420 with AMI or coreboot, or any VP4600 model, UEFI is the only option, so jump past the BIOS verification section to the “Install pfSense® CE” section below. Be sure to note the reboot instructions.
- Verify the Vault is powered down
- Verify the monitor is connected
- Verify the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
- While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.
- Select “Advanced” tab
- Select “CSM Configuration”
- Select “Boot option filter”
- Select “UEFI only”
- Press RETURN then “F4” to save and exit the BIOS
- Power off the unit
Install pfSense® CE Operating System on the Vault
- Insert the USB installation drive into the USB port on the Vault
- While powering up the Vault, press “F11” key and verify that it boots to the BIOS boot options screen.
NOTE: If using the serial installer, F11 commonly will not show the boot options menu. In this case, use the “DEL” key to enter the BIOS. In the BIOS, a specific boot device can be chosen from the “Save & Exit”, or rightmost tab.
- Select the USB drive UEFI partition to boot from if UEFI was configured, else just select the USB drive
- Verify the Vault boots and begins the installation process
- Follow the on screen installation prompts to install pfSense® CE
- When Selecting ZFS install, press the space bar to select the target drive you wish to install. Then enter to proceed
- Optional note: FW6 platforms utilizing two SSD’s (mSATA+2.5″SSD) can support ZFS mirrored redundancy
For detailed installation information, see the procedures presented on the pfSense® CE website at this link.
pfSense® CE Dashboard
For more detailed configuration instructions, the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html
When prompted, reboot the unit. If it is a VP2410 with coreboot, follow the instructions to edit the boot order at:
Once rebooted, the Vault should be up and running. Follow any on screen instructions for logging in to pfSense® CE.
If you experience any issues, please feel free to reach out: firstname.lastname@example.org.
The table below shows the compatibility of tested releases of pfSense® CE and BIOS on each of the Vaults.
|Vault||pfSense® CE Version||AMI BIOS - Legacy||AMI BIOS - UEFI||BIOS - coreboot|
Default Port Assignments