Have a Question?

How to Install pfSense® CE on the Vault

Print

Overview

**Very important note as of May 2024: You can directly download pfSense® CE at this link, which is hosted on their servers. Otherwise, if you download the image file from the location where it was previously found, you will be required to create an account on the Netgate® website and download the Netgate® Installer. It is required to connect to the internet during the installation. If you do not have a pfSense® Plus® subscription, you can then proceed with installing pfSense®  CE as normal.

If you are here because you got a message saying "“Not Enough Disks Selected” / “Stripe: Not Enough Disks Selected” during the final section of the installer, please press the spacebar on your keyboard while highlighted over the drive you wish to install to, to properly install the OS. When you hit spacebar on the desired drive, you will see an asterisk [­*­­­] next to the drive name.

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/

Note: pfSense® CE is open source software developed for the benefit of the community.  If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved

Note: pfSense® CE version 2.7.2 is now available. Protectli recommends using the latest released version.

Verify Hardware Recommendations

pfSense® CE has good documentation regarding general hardware recommendations on their web site. See https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html to verify that  the proper memory and storage is available for the intended application.

Install pfSense® CE

Obtain the Installation Image and Uncompress It

There are two ways to install pfSense® CE on the Vault.  Because the Vault has a COM (serial console) port, users can install pfSense® CE using only the COM port, OR, users can install pfSense® CE the more 'traditional' way by using a VGA or HDMI monitor, along with a USB keyboard.

  • The easiest way to install pfSense® CE that is most likely to be error-free is with a HDMI or Display Port monitor and a USB keyboard, using the VGA version of the installer
  • If the user chooses to install pfSense® CE with the serial console port on the Vault, the user MUST use the serial version of the installer
  • If the user encounters an issue whereby the installation appears to stop and not proceed, please double check to ensure you're using the correct version of the pfSense® CE installer with your chosen installation method

It is recommended to download the .iso image for the newest version of pfSense from this link: https://sgpfiles.netgate.com/mirror/downloads/ (These are hosted on the official Netgate® website). The same image can be used to install pfSense® CE on any of the Vault platforms.

Before May 2024 the normal method of downloading the OS was from https://www.pfsense.org/download/, but this now requires an account to be created and you must be connected to the internet during the installation process. Directly downloading the file from the previous paragraph is the quicker method.

**Note for balenaEtcher users:  Use the .iso image opposed to the .img image to properly burn the image to your USB.

In the example above you should click on the link correlating with the version you'd like to download. You typically want to download the newest version of the .iso.gz file. These are found towards the top of the list. Keep in mind the serial versions are found towards the bottom of the list.

Your download should begin immediately and when it is completed you should have a compressed iso file (an example file name is: pfSense-CE-2.7.2-RELEASE-amd64.iso.gz) downloaded that is ~800MB in size.

You now have the compressed image file. If using Rufus to burn the image to your USB you typically do not need to uncompress the file, but if you are running into issues you will need to use a program like "7zip" or "WinRAR" on Windows to decompress the file.  The resulting file should look the same, except that the file name will now end in ".iso" instead of ".iso.gz".

Burn the installation image to a USB drive

The easiest way to transfer the installation image to a USB drive is by using software called "Rufus" on Windows or "balenaEtcher" on Mac OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or balenaEtcher.

Install pfSense® CE Operating System on the Vault

  • Verify the Vault is powered off
  • Verify a monitor (or COM cable/serial console) is connected
  • Verify the wired USB keyboard is plugged in (ignore if using serial connection)
  • While powering up the Vault, hold the <F11> key to open boot options
  • Select your USB drive
    • If you see a partition that mentions UEFI, select this one
  • pfSense® CE should now start booting, lots of text will start flying across the screen (don't be scared!)
  • You will eventually be greeted with a Copyright and distribution notice
  • Review and [Accept]
  • Select the Install option
  • Select Auto (ZFS)
  • Select Proceed with Installation
  • Select Stripe
  • Highlight over the SSD and HIT SPACEBAR KEY. You MUST select the SSD, an [*] will show up next to the drive name
  • Hit <Enter> key
  • Confirm you wish to overwrite the contents of the SSD
  • The OS will quickly install
  • Reboot and remove the USB drive

Change Boot Order (UEFI coreboot only)

If you are on a unit with UEFI coreboot (VP Series or FW4C), you may need to change the boot order in the coreboot menu to make sure the SSD with  pfSense® CE is at the top of the boot order.

    • Hold <DEL> at the time of boot to access the coreboot menu
    • Navigate to Boot Maintenance Manager > Boot Options > Change Boot Order
      • Hit <Enter> to select the first option
      • Use arrow keys to highlight the SSD
      • Press <Shift> and <+> to move it up to the top selection
      • Hit <Enter>
      • Hit <F10> to save
      • Reboot

First Time Boot Instructions

After you have installed  pfSense® CE, allow the Vault to boot back up and load the OS.

On units with i225-V or i226-V NICs, you will most likely be prompted to configure the interface assignments so you actually have a WAN and LAN port to utilize. We will be setting port 1 as WAN (which connects to your modem) and port 2 as LAN (which connects to your computer or switch).

You will eventually get to a point in the booting process that asks "Should VLANs be set up now [y | n]?"

  • Type the letter "n" and hit <Enter> key
  • For "Enter the WAN interface name" type igc0 (potentially igb or ixl depending on NIC) and hit <Enter> key
  • For "Enter the LAN interface name" type igc1 (or whatever the NIC is labeled as) and hit <Enter> key
  • When asked to Enter the Optional 1 interface name, just hit the <Enter> key without typing anything
    • You can setup the OPT ports at a later time after the initial setup, follow this guide
  • When asked to proceed, type "y" and hit <Enter> key
  • The OS will now configure everything, this may potentially take a minute or so
  • Once you see a menu with 16 options, you are good to go
  • Feel free to unplug your monitor from the Vault, you can now connect to the WebGUI on a computer connected to the LAN port

Accessing WebGUI

  • Connect a computer to the Vault's LAN port
  • Browse to the pfSense® CE dashboard at 192.168.1.1 login with the default credentials.
    • Username: admin
    • Password: pfsense
  •  If a warning regarding an insecure connection shows, simply ignore and continue (this is normal)
  • Verify the dashboard is displayed
pfSense dashboard

 

For more detailed configuration instructions, the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html

Please refer to their official documentation for configuration assistance.

 

BIOS Compatibility

VaultpfSense® CE VersionAMI BIOS – LegacyAMI BIOS – UEFIBIOS – coreboot
FW2B2.7TestedTestedTested
FW4B2.7TestedTestedTested
FW4C2.7TestedTestedTested
FW6A2.7TestedTestedTested
FW6Br22.7TestedTestedTested
FW6C2.7TestedTestedTested
FW6D2.7TestedTestedTested
FW6E2.7TestedTestedTested
VP24102.7TestedTestedTested
VP24202.7N/ATestedTested
VP46302.7N/ATestedTested
VP46502.7N/ATestedTested
VP46702.7N/ATestedTested
VP66XX2.7N/ATestedTBD
V1XXX Series2.7N/ATestedTBD

Suggested Port Assignments

ModelWANLANOPT1OPT2OPT3OPT4
FW2Bigb0igb1N/AN/AN/AN/A
FW4Bigb0igb1igb2igb3N/AN/A
FW4Cigc0igc1igc2igc3N/AN/A
FW6 Seriesigb0igb1igb2igb3igb4igb5
VP2410igb0igb1igb2igb3N/AN/A
VP2420igc0igc1igc2igc3N/AN/A
VP4600 Seriesigc0igc1igc2igc3igc4igc5
VP6600 Seriesixl0ixl1igc0igc1igc2igc3
V12XXigc0igc1N/AN/AN/AN/A
V14XXigc0igc1igc2igc3N/AN/A
Table of Contents