Setup Wizard | pfSense Documentation (2024)

General Information Screen¶

The next screen (Figure General Information Screen) configures thename of this firewall, the domain in which it resides, and the DNS servers forthe firewall.

Hostname:

The Hostname is a name that should uniquely identify this firewall. It canbe nearly anything, but must start with a letter and it may contain onlyletters, numbers, or a hyphen.

Domain:

Enter a Domain, e.g. example.com. If this network does not have a domain,use <something>.home.arpa, where <something> is another identifier: acompany name, last name, nickname, etc. For example, company.home.arpa Thehostname and domain name are combined to make up the fully qualified domainname of this firewall.

Primary/Secondary DNS Server:

The IP address of the Primary DNS Server and Secondary DNS Server, if known.

These DNS servers may be left blank if the DNS Resolver will remain activeusing its default settings. The default configuration has the DNS Resolveractive in resolver mode (not forwarding mode), when set this way, the DNSResolver does not need forwarding DNS servers as it will communicate directlywith Root DNS servers and other authoritative DNS servers. To force thefirewall to use these configured DNS servers, enable forwarding mode in theDNS Resolver or use the DNS Forwarder.

If this firewall has a dynamic WAN type such as DHCP, PPTP or PPPoE these maybe automatically assigned by the ISP and can be left blank.

Note

The firewall can have more than two DNS servers, add more under System >General Setup after completing the wizard.

Override DNS:

When checked, a dynamic WAN ISP can supply DNS servers which override thoseset manually. To force the use of only the DNS servers configured manually,uncheck this option.

Click Next to continue.

NTP and Time Zone Configuration¶

The next screen (Figure NTP and Time Zone Setup Screen) has time-relatedoptions.

Time server hostname:

A Network Time Protocol (NTP) server hostname or IP address. Unless a specificNTP server is required, such as one on LAN, the best practice is to leave theTime server hostname at the default 2.pfsense.pool.ntp.org. This valuewill pick a set of random servers from a pool of known-good NTP hosts.

To utilize multiple time server pools or individual servers, add them in thesame box, separating each server by a space. For example, to use three NTPservers from the pool, enter: 0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org2.pfsense.pool.ntp.org

This numbering is specific to how .pool.ntp.org operates and ensures eachaddress is drawn from a unique pool of NTP servers so the same server does notget used twice.

Timezone:

Choose a geographically named zone which best matches location of thisfirewall, or any other desired zone.

Click Next to continue.

WAN Configuration¶

The next page of the wizard configures the WAN interface of the firewall. Thisis the external network facing the ISP or upstream router, so the wizard offersconfiguration choices to support several common ISP connection types.

WAN Type:

The Selected Type (Figure WAN Configuration) must match thetype of WAN required by the ISP, or whatever the previous firewall or routerwas configured to use. Possible choices are Static, DHCP, PPPoE, andPPTP. The default choice is DHCP due to the fact that it is the mostcommon, and for the majority of cases this setting allows a firewall to “JustWork” without additional configuration. If the WAN type is not known, orspecific settings for the WAN are not known, this information must be obtainedfrom the ISP. If the required WAN type is not available in the wizard, or toread more information about the different WAN types, seeInterface Types and Configuration.

Note

If the WAN interface is wireless, additional options will be presented bythe wizard which are not covered during this walkthrough of the standardSetup Wizard. Refer to Wireless, which has a section onWireless WAN for additional information. If any of the options are unclear,skip the WAN setup for now, and then perform the wireless configurationafterward.

MAC Address:

This field, shown in Figure General WAN Configuration, changes the MACaddress used on the WAN network interface. This is also known as “spoofing”the MAC address.

Note

The problems alleviated by spoofing a MAC address are typically temporaryand easily worked around. The best course of action is to maintain theoriginal hardware MAC address, resorting to spoofing only when absolutelynecessary.

Changing the MAC address can be useful when replacing an existing piece ofnetwork equipment. Certain ISPs, primarily Cable providers, will not workproperly if a new MAC address is encountered. Some Internet providers requirepower cycling the modem, others require registering the new address over thephone. Additionally, if this WAN connection is on a network segment with othersystems that locate it via ARP, changing the MAC to match and older piece ofequipment may also help ease the transition, rather than having to clear ARPcaches or update static ARP entries.

Warning

If this firewall will ever be used as part of a High AvailabilityCluster, do not spoof the MAC address.

Maximum Transmission Unit (MTU):

The MTU field, shown in Figure General WAN Configuration, can typicallybe left blank, but can be changed when necessary. Some situations may call fora lower MTU to ensure packets are sized appropriately for an Internetconnection. In most cases, the default assumed values for the WAN connectiontype will work properly.

Maximum Segment Size (MSS):

MSS, shown in Figure General WAN Configuration can typically be leftblank, but can be changed when necessary. This field enables MSS clamping,which ensures TCP packet sizes remain adequately small for a particularInternet connection.

Static IP Configuration:

If the “Static” choice for the WAN type is selected, the IP address,Subnet Mask, and Upstream Gateway must all be filled in (FigureStatic IP Settings). This information must be obtained from theISP or whoever controls the network on the WAN side of this firewall. The IPAddress and Upstream Gateway must both reside in the same Subnet.

DHCP Hostname:

This field (Figure DHCP Hostname Setting) is only required by afew ISPs. This value is sent along with the DHCP request to obtain a WAN IPaddress. If the value for this field is unknown, try leaving it blank unlessdirected otherwise by the ISP.

PPPoE Configuration:

When using the PPPoE (Point-to-Point Protocol over Ethernet) WAN type (FigurePPPoE Configuration), The PPPoE Username and PPPoEPassword fields are required, at a minimum. The values for these fields aredetermined by the ISP.

PPPoE Username:

The login name for PPPoE authentication. The format is controlled by theISP, but commonly uses an e-mail address style such as[email protected].

PPPoE Password:

The password to login to the account specified by the username above. Thepassword is masked by default. To view the entered password, check Revealpassword characters.

PPPoE Service Name:

The PPPoE Service name may be required by an ISP, but is typically leftblank. When in doubt, leave it blank or contact the ISP and ask if it isnecessary.

PPPoE Dial on Demand:

This option leaves the connection down/offline until data is requested thatwould need the connection to the Internet. PPPoE logins happen quite fast,so in most cases the delay while the connection is setup would benegligible. If public services are hosted behind this firewall, do not checkthis option as an online connection must be maintained as much as possiblein that case. Also note that this choice will not drop an existingconnection.

PPPoE Idle Timeout:

Specifies how much time the PPPoE connection remain up without transmittingdata before disconnecting. This is only useful when coupled with Dial ondemand, and is typically left blank (disabled).

Note

This option also requires the deactivation of gateway monitoring,otherwise the connection will never be idle.

PPTP Configuration:

The PPTP (Point-to-Point Tunneling Protocol) WAN type (FigurePPTP WAN Configuration) is for ISPs that require a PPTP login, notfor connecting to a remote PPTP VPN. These settings, much like the PPPoEsettings, will be provided by the ISP. A few additional options are required:

Local IP Address:

The local (usually private) address used by this firewall to establish thePPTP connection.

CIDR Subnet Mask:

The subnet mask for the local address.

Remote IP Address:

The PPTP server address, which is usually inside the same subnet as theLocal IP address.

These last two options, seen in Figure Built-in Ingress Filtering Options,are useful for preventing invalid traffic from entering the network protected bythis firewall, also known as “Ingress Filtering”.

Block RFC 1918 Private Networks:

Blocks connections sourced from registered private networks such as192.168.x.x and 10.x.x.x attempting to enter the WAN interface . Afull list of these networks is in Private IP Addresses.

Block Bogon Networks:

When active, the firewall blocks traffic from entering if it is sourced fromreserved or unassigned IP space that should not be in use. The list of bogonnetworks is updated periodically in the background, and requires no manualmaintenance. Bogon networks are further explained inBlock Bogon Networks.

Click Next to continue once the WAN settings havebeen filled in.

LAN Interface Configuration¶

This page of the wizard configures the LAN IP Address and Subnet Mask(Figure LAN Configuration).

If this firewall will not connect to any other network via VPN, the default192.168.1.0/24 network may be acceptable. If this network must be connectedto another network, including via VPN from remote locations, choose a private IPaddress range much more obscure than the common default of 192.168.1.0/24.IP space within the 172.16.0.0/12 RFC 1918 private address block isgenerally the least frequently used, so choose something between 172.16.x.xand 172.31.x.x to help avoid VPN connectivity difficulties.

If the LAN is 192.168.1.x and a remote client is at a wireless hotspot using192.168.1.x (very common), the client will not be able to communicate acrossthe VPN. In that case, 192.168.1.x is the local network for the client atthe hotspot, not the remote network over the VPN.

If the LAN IP Address must be changed, enter it here along with a newSubnet Mask. If these settings are changed, the IP address of the computerused to complete the wizard must also be changed if it is connected through theLAN. Release/renew its DHCP lease, or perform a “Repair” or “Diagnose” on thenetwork interface when finished with the setup wizard.

Click Next to continue.

Set admin password¶

Next, change the administrative password for the GUI as shown in FigureChange Administrative Password. The best practice is to use a strong andsecure password.

Enter the password in the Admin Password and confirmation box to be surethat has been entered correctly.

Click Next to continue.

Completing the Setup Wizard¶

That completes the setup wizard configuration. Click Reload (FigureReload the GUI) and the GUI will apply the settings fromthe wizard and reload services changed by the wizard.

When prompted to login again, enter the new password. The username remainsadmin.

After reloading, the final screen of the wizard includes convenient links tocheck for updates, get support, and other resources. Click Finish tocomplete and exit the wizard.

At this point the firewall will have basic connectivity to the Internet via theWAN and clients on the LAN side will be able to reach Internet sites throughthis firewall.

If at any time this initial configuration must be repeated, revisit the wizardat System > Setup Wizard from within the GUI.