pfSense Initial Setup: Complete Installation Guide (2026)
Step-by-step walkthrough for installing pfSense CE or pfSense Plus on a Protectli vault or mini-PC, covering interface assignment, WAN/LAN configuration, and first-boot hardening.
pfSense CE and pfSense Plus are FreeBSD-based firewall and routing platforms developed by Netgate. This guide walks you through a fresh install from USB to a working WAN+LAN configuration.
Hardware: What you need
Any x86-64 system with at least two NICs works. Common homelab choices:
- Protectli FW4C — Intel J3160, 4×GbE, fanless, ~$250 used — community favorite for pfSense CE
- Netgate 1100 — ARM-based, ~$189, ships with pfSense Plus pre-installed
- Netgate 2100 — ARM-based (Marvell OCTEON TX2), official hardware, ~$349, pfSense Plus
- Topton/Cwwk N5105 mini-PC — 4×GbE or 2.5GbE, ~$200, runs pfSense CE well
For a basic WAN+LAN setup any two-NIC x86-64 box is sufficient. Note: pfSense Plus is only officially supported on Netgate hardware or as a paid cloud image; pfSense CE runs on any x86-64.
Download the installer
pfSense CE (free, community edition):
- Go to the pfSense download page and select the AMD64 DVD ISO (installer image).
- Write to USB:
dd if=pfSense-CE-*.iso of=/dev/sdX bs=4M status=progress(Linux/macOS).
pfSense Plus (Netgate hardware):
- Comes pre-installed on Netgate appliances. Updates available through the web UI.
Boot and install
- Boot from USB. The installer launches automatically.
- Accept the copyright notice → select Install pfSense.
- Choose Auto (ZFS) for disk layout on modern hardware (recommended), or Auto (UFS) for compatibility.
- Select your disk → confirm destruction → let install complete.
- Reboot, remove USB.
Interface assignment
At the console menu, select 1 — Assign Interfaces:
Should VLANs be set up now? → n
Enter the WAN interface name or 'a' for auto-detection: igb0
Enter the LAN interface name: igb1
Do you want to proceed? → ypfSense will assign interfaces and reboot.
First-boot web UI access
From a LAN-connected device, browse to https://192.168.1.1. Default credentials: admin / pfsense.
The Setup Wizard launches automatically:
- Set hostname and domain (e.g.,
firewall.home.arpa) - Configure DNS (1.1.1.1 + 9.9.9.9 or your preferred upstream)
- Set timezone
- Configure WAN (DHCP for most ISPs, PPPoE if required)
- Confirm LAN IP (default 192.168.1.1/24)
- Change the admin password — required step at the end of the wizard
Immediate hardening steps
Before doing anything else:
- Disable HTTP redirect — System → Advanced → Admin Access → uncheck “HTTP Redirect”
- Lock SSH to key-auth — System → Advanced → Admin Access → enable SSH, set auth to key only
- Enable auto-update notifications — System → Update → Branch: Latest Stable
- Set secure DNS — System → General Setup → DNS servers: 1.1.1.1 (Enable DNS Resolver)
Next steps
- VLAN configuration on pfSense — segment IoT, guest, and trusted traffic
- pfBlockerNG setup — DNS-based ad and tracker blocking
- Snort IDS/IPS on pfSense — inline intrusion detection
Comparing platforms? See firewallcompare.com ↗ for pfSense vs OPNsense vs UniFi side-by-side.
Related
Best Hardware for pfSense in 2026: Netgate, Protectli, and Mini-PC Options
Tested hardware recommendations for running pfSense CE and pfSense Plus: official Netgate appliances, fanless Protectli vaults, and refurbished mini-PCs — with throughput data and price tiers.
pfSense VLAN Configuration: Segment IoT, Guest, and Trusted Networks
How to create and enforce VLANs on pfSense to isolate IoT devices, guest Wi-Fi, and your trusted LAN — with firewall rules that block inter-VLAN traffic by default.
pfBlockerNG Setup Guide: DNS Ad-Blocking and Threat Intel on pfSense
Install and configure pfBlockerNG on pfSense to block ads, trackers, and malicious domains network-wide using DNS. Covers DNSBL feeds, IP reputation blocking, and tuning false positives.