What is the minimum hardware configuration for pfSense?

For basic use (< 100 Mbps), a 64-bit CPU, 2 GB of RAM and 8 GB of storage are enough. For multi-gigabit with Suricata/Snort active, plan on a 4-core CPU, 8 GB of RAM and an SSD. Each network interface requires a dedicated FreeBSD-compatible Ethernet port.

Can pfSense replace a consumer router?

Yes. pfSense offers all the functions of a router (NAT, DHCP, DNS, firewall) with far greater control. It handles QoS, VPN, multi-WAN failover and advanced filtering. The only drawback is the lack of built-in Wi-Fi: you have to add a separate access point.

How do I update pfSense without service interruption?

In a CARP high-availability setup, update the secondary node first, verify that it works correctly, then switch traffic over to it and update the primary node. In standalone mode, schedule a maintenance window: updating via System > Update generally takes 5 to 10 minutes with a reboot.

What is the difference between DNS Resolver and DNS Forwarder in pfSense?

The DNS Resolver (Unbound) performs recursive DNS resolution directly against the root servers, offering more privacy and DNSSEC support. The DNS Forwarder (dnsmasq) forwards queries to an upstream DNS server. Use the Resolver by default, unless you need to go through a specific DNS (e.g. Pi-hole, corporate filtering).

How do I diagnose a firewall rule that blocks legitimate traffic?

Go to Diagnostics > Packet Capture to capture traffic on the interface concerned. Check Status > System Logs > Firewall to see blocked packets along with the responsible rule. Also use Diagnostics > pfTop to see active connections in real time. Each log entry indicates the rule that matched, which lets you quickly identify the problem.

pfSense: Open Source Firewall and Router

Q: What is the minimum hardware configuration for pfSense?

For basic use (< 100 Mbps), a 64-bit CPU, 2 GB of RAM and 8 GB of storage are enough. For multi-gigabit with Suricata/Snort active, plan on a 4-core CPU, 8 GB of RAM and an SSD. Each network interface requires a dedicated FreeBSD-compatible Ethernet port.

Q: Can pfSense replace a consumer router?

Yes. pfSense offers all the functions of a router (NAT, DHCP, DNS, firewall) with far greater control. It handles QoS, VPN, multi-WAN failover and advanced filtering. The only drawback is the lack of built-in Wi-Fi: you have to add a separate access point.

Q: How do I update pfSense without service interruption?

In a CARP high-availability setup, update the secondary node first, verify that it works correctly, then switch traffic over to it and update the primary node. In standalone mode, schedule a maintenance window: updating via System > Update generally takes 5 to 10 minutes with a reboot.

Back to tutorials

About this guide: This tutorial covers the complete installation, configuration and hardening of pfSense. It is aimed at network administrators and enthusiasts who want to deploy a professional firewall. Estimated time: 2 to 4 hours for a full setup.

Prerequisites

Before you start, make sure you have the following:

Dedicated hardware or VM: 64-bit CPU (AMD64), minimum 2 GB of RAM, 8 GB of SSD storage recommended
At least 2 network interfaces: one for the WAN (Internet), one for the LAN (local network). Intel cards (igb, em) are the most reliable under FreeBSD
USB stick: 4 GB minimum for the installation image
Console access: screen + keyboard or serial port for the initial installation
A client machine: connected to the LAN to access the web interface after installation

Important: Identify your network interfaces (MAC addresses) before installation. On dedicated hardware, physically label the WAN and LAN ports to avoid any mix-up.

Complete installation

Downloading the ISO

Get the image from Netgate's official site. Choose the AMD64 architecture and the USB Memstick format (VGA or serial depending on your console).

# Download the image (example with wget)
wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.7.2-RELEASE-amd64.iso.gz

# Verify integrity
sha256sum pfSense-CE-2.7.2-RELEASE-amd64.iso.gz

# Decompress
gunzip pfSense-CE-2.7.2-RELEASE-amd64.iso.gz

Creating the bootable USB stick

# Linux / macOS - identify the USB stick
lsblk   # Linux
diskutil list   # macOS

# Write the image (replace /dev/sdX with your stick)
sudo dd if=pfSense-CE-2.7.2-RELEASE-amd64.iso of=/dev/sdX bs=4M status=progress conv=fsync

# On Windows, use Rufus or Etcher in DD Image mode

Installation wizard

Boot from the USB stick and follow these steps:

Boot menu: accept the default boot or press Enter
Copyright: accept the license
Install: select "Install pfSense"
Keymap: choose your keyboard layout (French ISO for AZERTY)
Partitioning: select Auto (ZFS) for a modern system or Auto (UFS) for older hardware
ZFS Config: Stripe for a single disk, Mirror if two disks are available
Disk selection: select your target disk
Confirmation: confirm and wait for the files to be copied
Reboot: remove the USB stick and reboot

Assigning the WAN / LAN interfaces

On first boot, pfSense asks you to assign the interfaces:

Do VLANs need to be set up first? n

Enter the WAN interface name: igb0
Enter the LAN interface name: igb1

Do you want to proceed? y

Tip: If you don't know the interface names, select "a" for auto-detection. pfSense will ask you to plug/unplug a cable to identify each port.

Premium Content

This advanced tutorial is reserved for premium members.

9,90€ / month

All advanced tutorials
New content every week
Progress tracking
Cancel anytime

Firewall Routing Network Security pfSense VPN NAT CARP FreeBSD

pfSense: Open Source Firewall and Router

Prerequisites

Complete installation

Downloading the ISO

Creating the bootable USB stick

Installation wizard

Assigning the WAN / LAN interfaces

Premium Content

Morgann Riu

Comments

pfSense: Open Source Firewall and Router

Prerequisites

Complete installation

Downloading the ISO

Creating the bootable USB stick

Installation wizard

Assigning the WAN / LAN interfaces

Premium Content

Morgann Riu

Comments

Recommended for you

UFW : Pare-feu simple pour Linux

OpenClaw : l'agent IA open source qui révolutionne l'automatisation

iptables : Configurer un Pare-feu sur Linux

WireGuard : VPN simple et performant

In-depth article on the topic

Checklist Sécurité Linux