How to Install pfSense® CE 2.4 on the Vault

Last Updated On May 17, 2019
You are here:

pfSense® CE Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/

Note: pfSense® CE is open source software developed for the benefit of the community.  If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved

Note: pfSense® CE will require hardware encryption support, specifically Intel AES-NI, starting with version 2.5. This was announced at https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html. Subsequently, there was an announcement that AES-NI will NOT be a requirement in version 2.5 https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html However, it may be a requirement in the future. The Vault FW1 and FW2 (J1800 based CPU) series DO NOT support AES-NI. The Vault FW2B, FW4A, FW4B and FW6 series DO support AES-NI.

Note: pfSense® CE version 2.4.4 is now available. A previous article was published at this link regarding an important issue and workaround in pfSense® CE version 2.4.4 due to the fact that it is based on FreeBSD 11.2 . Both of these issues can be resolved by setting BIOS to UEFI mode on the Vault. This article supersedes that one and following the instructions below eliminates the need to refer to the previous article. See the BIOS Compatibility table at the bottom of this article for more information.

Verify Hardware Recommendations

pfSense® CE has good documentation regarding hardware recommendations on their web site. See https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html to verify that  the proper memory and storage is available for the intended application.

Install pfSense® CE

Obtain the Installation Image and Uncompress it

There are two ways to install pfSense® CE on the Vault.  Because the Vault has a COM (serial console) port, users can install pfSense® CE using only the COM port, OR, users can install pfSense® CE the more ‘traditional’ way by using a VGA or HDMI monitor, along with a USB keyboard.

  • The easiest way to install pfSense® CE that is most likely to be error-free is with a VGA (FW1, FW2, FW4A series) or HDMI (FW2B, FW4B, FW6 series) monitor and a USB keyboard, using the VGA version of the installer
  • If the user chooses to install pfSense® CE with the serial console port on the Vault, the user MUST use the serial version of the installer.
  • If the user encounters an issue whereby the installation appears to stop and not proceed, please double check to ensure you’re using the correct version of the pfSense® CE installer with your chosen installation method.

The pfSense® CE installation image (IMG) can be downloaded from https://www.pfsense.org/download/. The same image can be used to install pfSense® CE on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Version”, “Architecture”, “Installer”, and “Console.”  The proper selections are as follows for installing the Vault using a VGA monitor and USB Keyboard:

Version: The latest available (2.4.4 as of this edit)

Architecture: AMD64 (64 bit)

Console: VGA or Serial as needed (see note above; VGA or HDMI monitor = VGA installer; COM port  = serial installer)

Installer: USB Memstick Installer


pfSense® CE Download Page

Your download should begin immediately and when it is completed you should have a compressed IMG file (an example file name is: pfSense-CE-memstick-2.4.4-RELEASE-amd64.img.gz) downloaded that is ~800MB in size.

Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” on Windows to decompress the file.  The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.

Burn the installation image to a USB drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Mac OSX. See this link for  detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Note: If installing using a VGA monitor and USB keyboard on a Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and a USB keyboard with a plug that is relatively skinny.  The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Verify the BIOS mode

Note: There is an important issue and workaround in pfSense® CE version 2.4.4 due to the fact that it is based on FreeBSD 11.2. See this link. The issue affects the FW1, FW2, and FW4A platforms. See the BIOS Compatibility table at the bottom of this article. If UEFI is required, follow the steps below to set UEFI mode.

  • Verify that the Vault is powered down
  • Verify that the VGA monitor or serial console is connected
  • Verify that the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
  • While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.
BIOS Main
  • Select “Advanced” tab
Advanced Tab
  • Select “CSM Configuration”
Advanced->CSM
  • Select “Boot option filter”
Boot Option Filter
  • Select “UEFI only”
  • Press RETURN then “F4” to save and exit the BIOS
  • Power off the unit

Install the Operating System on the Vault

  • Insert the USB installation drive into the USB port on the Vault
  • While powering up the Vault, press “F11” key and verify that it boots to the BIOS boot options screen.

NOTE: If using the serial installer, F11 commonly will not show the boot options menu.  In this case, use the “DEL” key to enter the BIOS.  In the BIOS, a specific boot device can be chosen from the last, or rightmost tab.

  • Select the USB drive UEFI partition to boot from if UEFI was configured, else just select the USB drive
  • Verify that the Vault boots and begins the installation process
  • Follow the on screen installation prompts to install pfSense® CE

For detailed installation information, see the procedures presented on the pfSense® CE website at this link.


pfSense® CE Dashboard

For more detailed configuration instructions, the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html

Once rebooted, the Vault should be up and running. Follow any on screen instructions for logging in to pfSense® CE.  

If you experience any issues, please feel free to reach out: support@protectli.com.

BIOS Compatibility

The table below shows the compatibility of tested releases of pfSense® CE and BIOS on each of the Vaults.

VaultpfSense® CE VersionBIOS - LegacyBIOS - UEFIBIOS - coreboot
FW12.4.3TestedTestedN/A
FW12.4.4Fail, Use UEFITestedN/A
FW22.4.3TestedTestedN/A
FW22.4.4Fail, Use UEFITestedN/A
FW4A2.4.3TestedTestedN/A
FW4A2.4.4Fail, Use UEFITestedN/A
FW2B2.4.3TestedTestedTested
FW2B2.4.4TestedTestedTested
FW4B2.4.3TestedTestedTested
FW4B2.4.4TestedTestedTested
FW6A2.4.3TestedTestedN/A
FW6A2.4.4TestedTestedN/A
FW6B2.4.3TestedTestedN/A
FW6B2.4.4TestedTestedN/A
FW6C2.4.3TestedTestedN/A
FW6C2.4.4TestedTestedN/A