pfSense®CE Configuration Recommendations

You are here:

pfSense® CE Configuration Recommendations

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. An article covering installation can be found at this link. This article offers some basic recommendations to configure pfSense® CE on the Vault. Some of these recommendations had been in other articles, but for ease of use, we are consolidating them here in one article. This article includes the following areas of interest:

  • Thermal Monitoring
  • Enable Cryptographic Hardware assist with AES-NI and BDS 
  • Power Management with PowerD
  • Enable Optional (OPT) ports

At the bottom of this article, there is a table with downloadable configuration files for each of the Vaults that include the settings described below.

 

Thermal Monitoring

The Vault has a solid state, fanless design. The case is designed to dissipate the heat generated by the unit. Although the case may be warm to the touch, it most likely indicates that the system is functioning correctly. However, Thermal Monitoring can be used to verify the Vault is operating under normal thermal conditions.  Intel based CPUs have built in thermal monitoring and pfSense® CE can access it to display temperatures on the dashboard. The following article will describe how to enable and monitor the thermal sensors.

Enable Thermal Monitoring

Enabling Thermal Monitoring is done through the pfSense® CE WebUI.

  • Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
  • Select “System –> Advanced” and click on the “Miscellaneous” tab

pfsense system advanced System->Advanced

 

  • Scroll down to “Cryptographic & Thermal Hardware”
  • Click on “Thermal Sensors.”
  • From the drop down, choose “Intel Core* CPU…”
pfsense thermal hardware

System->Advanced->Miscellaneous->Cryptographic & Thermal Hardware

 

  • Click “Save” button at the bottom of the page
  • Verify success message is displayed at the top of the page
  • Thermal monitoring of the CPUs is now enabled

 

Display Thermal Sensors on the Dashboard

The preceding steps enabled thermal monitoring.  The following steps will show how to display thermal monitoring on the dashboard.

  • Select the Dashboard
  • Click the “+” icon in the upper right corner
  • Verify the “Available Widgets” box appears
  • Click the “+” next to Thermal Sensors

pfsense thermal sensors Dashboard->Available Widgets

 

  • Verify the Thermal Sensors box is displayed at the bottom of the dashboard
pfsense dashboard
 

Dashboard with Thermal Monitoring, Idle

 

The screenshot above shows an example of the FW4B that is essentially idle for over 40 minutes. Note that the core temperatures range from 51 to 53 degrees C. This is well within normal range.

pfsense thermal sensors
 

Dashboard with Thermal Monitoring, Iperf 40 Minutes

 

The screenshot above shows an example of the same FW4B that is running an iperf test at linerate for over 40 minutes. Note that the CPU usage has increased from 3% to 30% and core temperatures range from 55 to 58 degrees C. Although this may seem high, and the case may be warm to the touch, it indicates that the case is functioning correctly and dissipating the heat. The Intel TJmax core temperatures from ark.intel.com for each of the processors is displayed in the table below.

PlatformCPUTJmax
FW1J1900105 C
FW2J1800105 C
FW2BJ306090 C
FW4AE3845110 C
FW4BJ316090 C
FW6A3865U100 C
FW6B7100U100 C
FW6C7200U100 C

 

Cryptographic Hardware Support (AES-NI and BDS)

The FW2B, FW4A, FW4B and FW6 series of the vault have cryptographic hardware support built into the CPU. Cryptographic Hardware support is critical for the performance of VPNs and other features that encrypt and decrypt packets as they traverse the unit. By default, it is not enabled in pfSense® CE.

Enable Cryptographic Hardware Support

Enabling Cryptographic Hardware Support is done through the pfSense® CE WebUI.

  • Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
  • Select “System –> Advanced” and click on the “Miscellaneous” tab

pfsense system advanced System->Advanced

 

  • Scroll down to “Cryptographic & Thermal Hardware”
  • Click on “Cryptographic Hardware.”
  • From the drop down, choose “Intel Core* CPU…”

 

System->Advanced->Miscellaneous->Cryptographic & Thermal Hardware

 

  • Click “Save” button at the bottom of the page
  • Verify success message is displayed at the top of the page

At this point cryptographic hardware support should be enabled.

 

Power Management with PowerD

All of the Vault series use Intel CPUs that have Power Management features that allow the selection of power management modes. The power management modes trade performance vs. power by adjusting the frequency based on system load. PowerD is a power control utility built into pfSense® CE, which is inherited from the underlying FreeBSD operating system. In this section, we will enable PowerD and select the optimum performance vs. power settings.

Enable PowerD

In this example we will enable PowerD within the pfSense® CE  WebUI.

  • Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
  • Navigate to the System tab and select Advanced from the drop down menu

pfSense System Advanced - enable PowerD

pfSense® CE Dashboard

 

  • Verify the Advanced page is displayed
  • Select the Miscellaneous tab
  • Verify the Miscellaneous page is displayed
  • Scroll down to the section labeled Power Savings
  • To enable PowerD, check the box next to Enable PowerD
  • Verify Hiadaptive is selected for the power modes as shown in the image below

pfSense advanced Misc

PowerD Settings

 

  • Scroll down to the bottom of the page and click Save
  • Verify a message stating “The changes have been applied successfully” is displayed at the top of the page.

At this point, PowerD should be enabled for optimum power management.

 

Configuring Optional Ports

 

This article covers how to configure the Optional Ports in pfSense® CE. The Optional Ports are labeled “OPTx” on the Vault. The configuration has the same type of default settings as the LAN port.  Those settings include:

  • An IP Address of 192.168.x.1
    • OPT1 192.168.2.1
    • OPT2 192.168.3.1
    • OPT3 192.168.4.1 (FW6 only)
    • OPT4 192.168.5.1 (FW6 only)
  • Enabling the OPT port to be a DHCP Server
  • Firewall rules to allow “Any” traffic originating on this port to pass without being blocked

 

Configuring Optional Ports – IP Address

  • Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
  • Navigate to the Interfaces tab and select Assignments from the drop down menu

Interface->Assignments

 

  • Verify the Interface Assignments page is displayed and add the next available interface

Interfaces->Interface Assignments

 

  • Verify OPT1 is added and Select Save

Interface->Interface Assignments OPT1

 

  • Select OPT1

Interfaces->Interface Assignments->OPT1 Select

 

Verify the OPT1 General Configuration page is displayed and configure as follows:

  • General Configuration->Enable – Check the box
  • General Configuration->IPv4 Configuration Type – Select Static IPv4
  • Static IPv4 Configuration>IPv4 Address – Set 192.168.2.1 /24
  • Select the Save Button

Interfaces->OPT1 Configure

 

  • Verify the OPT1 Configuration has been changed and Apply Changes

Interfaces->OPT1 ApplyChanges

 

  • Verify changes have been applied successfully

Interfaces->OPT1 Success

 

Configuring Optional Ports – DHCP Server

  • Navigate to the Services tab and select DHCP Server from the drop down menu

Services->DHCP Server

 

  • Verify the Services->DHCP Server page is displayed and Select OPT1

Services->DHCP Server Select OPT1

 

Verify Services->DHCP Server->OPT1 page is displayed and configure as follows:

  • General Configuration->Enable – Check the box
  • General Configuration->Range – 192.168.2.100 to 192.168.2.199

Services->DHCP Server Configure OPT1

 

  • Select the Save button and verify the changes have been applied successfully

Services->DHCP Server OPT1 Success

 

Configuring Optional Ports – Firewall Rules

  • Navigate to the Firewall tab and select Rules from the drop down menu

Select Firewall->Rules

 

  • Verify the Firewall Rules page is displayed and Select OPT1

Firewall->Rules Select OPT1

 

  • Verify Firewall OPT1 page is displayed and select the Add Button

Firewall->Rules OPT1 Add Rule

 

Verify Firewall->Rules->Edit for OPT1 page is displayed and configure as follows:

  • Edit Firewall Rule->Action- Pass
  • Edit Firewall Rule->Interface- OPT1
  • Edit Firewall Rule->Address Family – IPv4
  • Edit Firewall Rule->Protocol – Any
  • Save the changes

Firewall>Rules Configure OPT1

 

  • Verify the configuration and Apply the changes

Firewall->Rules->OPT1 Apply Changes

 

  • Verify success message

Firewall->Rules->OPT1 Success

 

OPT1 has now been configured with static IP address 192.168.2.1, it is a DHCP server, and any traffic coming into this port is allowed to pass.

 

Configuring Optional Ports – Verify Configuration

OPT1 has been configured so it needs to be tested to verify the configuration changes are correct. Follow the instructions below to test the changes:

  • Connect a PC to OPT1
  • Verify the PC gets an IP address in the range of 192.168.2.100-199
  • From the PC, browse to a site outside of the local network
  • Verify an external web page is displayed correctly on the PC

At this point OPT1 is up and running. To configure OPT2 repeat the same steps as OPT1, but use IP address 192.168.3.1. For an FW6 with OPT3 and OPT4, repeat the same steps using IP addresses 192.168.4.1 and 192.168.5.1.

 

Configuration Files

The steps above were described to manually configure the Vault as indicated. It is important to understand the steps required, however, it is very convenient to load a configuration file rather than manually configure each item.

We have included configuration files in the table at the bottom of the page. These configuration files have

  • Thermal Monitoring Enabled
  • Cryptographic Hardware Support Enabled
  • Power Management Enabled
  • OPT Ports Enabled with Static IP Address, DHCP Server, and Basic Firewall Rule

 

Note: These configuration files have the default admin password retained. The additional ports assigned use default firewall rules, same as what pfSense® configures for the LAN port.

How to Restore a Config File

  • Verify pfSense® has been installed correctly
  • Verify the correct configuration file has been downloaded from the table below and pfSense® will be able to access it
  • Log into the WebGUI. This is 192.168.1.1 by default.
  • The default pfSense® login user is ‘admin’ and password is ‘pfsense’
  • Click Diagnostics on the top of the GUI
  • From the drop-down menu click Backup & Restore

pfSense backup & restore
pfSense® Setup Wizard page

  • Click Choose File
  • Select the appropriate config, click open
  • Click Restore Configuration

pfSense backup & restore settings
pfSense® Backup & Restore page

  • Verify the Vault reboots
  • Log back into the WebGUI with the default credentials
  • Verify OPT1 and OPT2 (OPT3 /OPT4 additionally on the FW6x) now appear on the Interfaces widget

pfSense dashboard
pfSense® WebGUI

  • It is now recommended to change the default ‘admin’ password
  • Verify the newly assigned ports are functioning and DHCP is handing out IP addresses

If you experience any issues, please feel free to reach out: support@protectli.com. You can find additional information in our Knowledge Base, or reference pfsense.org directly.

Configuration Files

ModelpfSense® VersionNotesDownloadRelease
FW12.4.5Enabled:
Thermal Monitoring
PowerD
OPT1, OPT2
DHCP
Default Firewall Rules
config-pfSense.Basic-FW1-200506.xmlMay 6, 2020
FW22.4.5Enabled:
Thermal Monitoring
PowerD
config-pfSense.Basic-FW2-200506.xmlMay 6, 2020
FW4A2.4.5Enabled:
Thermal Monitoring
PowerD
AES-NI
OPT1, OPT2
DHCP
Default Firewall Rules
config-pfSense.Basic-FW4A-200506.xmlMay 6, 2020
FW2B2.4.5Enabled:
Thermal Monitoring
PowerD
AES-NI
config-pfSense.Basic-FW2B-200506.xmlMay 6, 2020
FW4B2.4.5Enabled:
Thermal Monitoring
PowerD
AES-NI
OPT1, OPT2
DHCP
Default Firewall Rules
config-pfSense.Basic-FW4B-200506.xmlMay 6, 2020
FW6(A,B,C)2.4.5Enabled:
Thermal Monitoring
PowerD
AES-NI
OPT1, OPT2, OPT3, OPT4
DHCP
Default Firewall Rules
config-pfSense.Basic-FW6-200506.xmlMay 6, 2020