pfSense is open source software that can be used to turn a computer into a firewall/router. Its origins can be traced to the FreeBSD packet-filtering program known as PF, which has been part of FreeBSD since 2001. As PF is a command-line utility, work soon began on developing software that would provide a graphical frontend to PF. The m0n0wall project, which provides an easy-to-use, web-based interface for PF, was thus started. The first release of m0n0wall took place in 2003. pfSense began as a fork of the m0n0wall project.

Version 1.0 of pfSense was released on October 4, 2006, and version 2.0 was released on September 17, 2011. A key point in the development of pfSense took place with the release of Version 2.3 on April 12, 2016. This version phased out support for legacy technologies such as Point to Point Tunneling Protocol (PPTP), Wireless Encryption Protocol (WEP), and Single DES, and also provided a face-lift for the web GUI. Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features. Support for 32 bit x86 architectures has been deprecated, while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD’s bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports multiple languages; the web GUI has been translated into 13 different languages.

This chapter will cover the basic configuration steps common to virtually all deployments. Once you have completed the recipes in this chapter, you will have a fully functional router/firewall. By following the recipes in subsequent chapters, you can enhance that functionality by adding specific firewall rules, enabling traffic shaping, adding load balancing and multi-WAN capabilities, and much more.

This recipe describes how to configure core pfSense settings from the web GUI.

All that is required for this recipe is a fresh install of pfSense and access to the web GUI.

1. In the web GUI, navigate to System | General Setup.
2. In the first section of the page (System), enter a Hostname. This name can be used to access the firewall instead of the IP address:

3. In the next field, enter the Domain:

4. The next field is DNS Servers. By default, pfSense will act as the primary DNS server; however, you can specify alternate DNS servers here. The Add DNS Server button causes an additional edit box to appear, into which you can enter another DNS server; you can add as many alternate DNS servers as is necessary:

5. Check the Allow DNS server list to be overridden by DHCP/PPP on WAN checkbox (it should be checked by default). This ensures that any DNS requests that cannot be processed internally will be passed on to the external DNS servers, as specified by your ISP:

6. In the Localization section, specify a Timezone and leave Timeservers at the default value of 0.pfsense.pool.ntp.org. Specify the appropriate Language (the default is English):

7. In the webConfigurator section, I’d recommend the default Theme of pfSense. You can set Top Navigation to either Scrolls with page (appropriate for all screen sizes) or Fixed (designed for large screens only). You may also set the number of Dashboard Columns (the default is 2):

8. When done, click on the Save button.

• The Configuring the DNS Forwarder recipe in Chapter 2, Essential Services.

This recipe describes how to identify interfaces on a network configuration and how to assign them in pfSense.

You need to identify the MAC addresses for each Ethernet port on your pfSense system before attempting to assign them.

1. Navigate to Interfaces | Interface Assignments.
2. Assign a WAN interface, first by selecting the correct MAC address from the drop-down list for the WAN interface:

3. Repeat this process for the LAN interface, selecting the correct MAC address from the drop-down list for the LAN interface. If necessary, add the LAN interface to the list by following this process:
   1. Click on the Add button in the Available network ports column.
   2. Click on the name of the newly created interface in the Interfaces column (it should be OPT1).
   3. When the configuration page for the interface loads, change Description to LAN.
   4. Click on the Save button at the bottom of the page.
   5. Navigate back to Interfaces | Interface Assignments.
4. If you want to add optional interfaces, you can do so by repeating step 3 and substituting the name of the optional interface (for example, DMZ) for LAN.
5. When you are done assigning interfaces, click on the Save button.

• The Assigning interfaces at the console recipe

This recipe describes how to configure the Wide Area Network (WAN) interface, which provides access to external networks on our pfSense system.

The WAN interface is your connection to external networks (in most cases, the public internet). You will need a properly configured WAN interface and an internet connection. In this example, we will connect to the internet via an Internet Service Provider (ISP) and a cable modem.

1. Navigate to Interfaces | WAN.
2. Check the Enable Interface checkbox (it should be checked by default):

3. Choose an IPv4 Configuration Type (usually DHCP).
4. Choose an IPv6 Configuration Type, or leave it set to None.
5. Leave MAC Address blank. Manually entering a MAC address here is known as MAC address spoofing. You can enter a MAC address here if you want to force your ISP to hand you a different IP address, or a different set of DNS servers. Be warned, however, that the MAC address entered must have a valid manufacturer’s prefix or it won’t work.
6. Leave MTU, MSS, Hostname, and Alias IP address blank.

7. Check the Block private networks and loopback addresses checkbox (it should be checked by default). This will block RFC 1918 private addresses from being sent out over the public internet.
8. Check the Block bogon networks checkbox (it should be checked by default). This will block packets from IP addresses not yet assigned by IANA from being sent or received:

9. Click on the Save button when done.

We must first establish a connection to the internet before we can configure pfSense to allow other networks to access it. The example we provided is a typical WAN configuration for a Small Office/Home Office (SOHO) environment. By setting up the WAN interface as the only interface with direct access to the internet, we are securing the network behind the firewall and establishing complete control over our networks. All networks behind the firewall must now abide by the rules we create.

Now that we have configured the WAN interface, we can connect the cable modem to the WAN port on pfSense and check the status of the WAN port by navigating to Status | Interfaces.

• The Identifying and assigning interfaces recipe in this chapter
• The Configuring a LAN interface recipe in this chapter
• The Configuring optional interfaces from the console recipe in this chapter

This recipe describes how to configure the Local Area Network (LAN) internal interface of our pfSense firewall.

The LAN interface is the interface to the internal network through which our nodes will be able to securely connect to other internal nodes and to the internet. An assigned LAN interface is required.

1. Navigate to Interfaces | LAN.
2. Check the Enable Interface checkbox:

3. Choose an IPv4 Configuration Type (usually Static IPv4).
4. Choose an IPv6 Configuration Type (or leave it set to None).
5. Enter an IPv4 Address in the appropriate field, and the correct CIDR in the adjacent drop-down box. Leave IPv4 Upstream gateway set to None.
6. If you enabled IPv6 by setting the IPv6 Configuration Type, enter an IPv4 Address in the appropriate field and the correct CIDR in the adjacent drop-down box.
7. Leave Block private networks and Block bogon networks unchecked (they should be unchecked by default).
8. When you are done making changes, click on the Save button. When the page reloads, click on the Apply Changes button.

You have just defined your first internal network. If you have been following these recipes in order, you now have met the minimal requirements for a fully functional network. You can now either continue adding networks, or start configuring the rules to regulate traffic between the networks.

You can now connect a switch to the LAN port of your pfSense system, and connect nodes to the LAN network.

• The Identifying and assigning interfaces recipe in this chapter
• The Configuring a WAN interface recipe in this chapter
• The Configuring optional interfaces from the console recipe in this chapter

This recipe describes how to configure optional interfaces (for example, a DMZ network) to pfSense.

The optional network you will create in this network will be a DMZ, which is short for the DeMilitarized Zone. The idea of a DMZ is to have a network where some traffic is allowed to pass and some traffic is not. Typically, traffic in the DMZ is allowed to pass to and from the internet but not to other internal networks. Traffic is allowed to pass from internal networks to the DMZ. Thus, the flow of traffic looks like this:

Internet <<>> DMZ << Internal networks

Unsafe internet traffic, for example, is allowed to enter a web server in the DMZ. LAN traffic is allowed to enter the DMZ as well, for example, if someone on the LAN wants to access the web server as well. However, the key lies in the fact that no DMZ traffic is allowed to access the internal networks.

To configure a DMZ, you will need at least one spare interface, and you will have to have added it using the procedure outlined in the Identifying and assigning interfaces recipe. We will assume that you have added at least one such interface (named OPT1).

1. Navigate to Interfaces | OPT1.
2. Check the Enable Interface checkbox:

3. Set Description to DMZ.
4. Set IPv4 Configuration Type to Static IPv4.
5. Enter an IPv4 Address and the CIDR. In our case, we will use 192.168.2.1 and select 24 from the CIDR dropdown list.
6. Leave IPv4 Upstream gateway set to None.
7. Leave the Block private networks and Block bogon networks checkboxes unchecked (they should be unchecked by default).
8. When you are done making changes, click on the Save button. When the page reloads, click on the Apply Changes button.

Your DMZ network will now allow external (WAN) access. Your LAN network will now be able to access the DMZ, but the DMZ will not be able to access the LAN.

You can now attach a switch to your DMZ port to allow you to attach multiple nodes to your DMZ network. If you have been following the recipes in this chapter in order, your network will now look like this:

• The Identifying and assigning interfaces recipe
• The Configuring a WAN interface recipe
• The Configuring a LAN interface recipe

This recipe describes how to enable the Secure Shell service in pfSense, thus making remote console login possible.

SSH is a networking protocol that allows encrypted communication between two nodes. Enabling SSH will allow you to gain access to the pfSense console remotely, as if you were at the console.

1. Navigate to System | Advanced.
2. In the Secure Shell section of the page, check the Enable Secure Shell checkbox:

3. With the current settings, you will be prompted for a username and password when logging into the console remotely. But by changing the SSHd Key Only setting to Public Key Only, you can set it so that only logins with a public key will be allowed. See the next recipe for details on how to generate an RSA public key.
4. Leave SSH port set to the default, port 22.
5. When you are done, click on the Save button.

Enabling Secure Shell in pfSense turns on pfSense’s internal SSH server, which causes pfSense to listen for login attempts on the SSH port (in this case, port 22).

Using RSA keys for SSH login is an effective way of securing your system. You can also change the SSH port; this should result in fewer unauthorized login attempts, though you will have to remember the new SSH port.

• The Generating authorized RSA keys recipe in this chapter
• The Enabling RSA key authentication recipe in this chapter

This recipe describes how to create an authorized RSA key so the user can log in to the pfSense console without using a password.

Linux and macOS users will need the ssh-keygen utility (installed by default in most cases). Windows users will need the puttygen utility.

For Linux/macOS users:

1. In a Terminal window, type ssh-keygen and press Enter
2. Enter the name of the file in which to save the public key (or just accept the default value)
3. Enter a passphrase for the new key (not necessary, but recommended)

4. Enter the passphrase a second time for confirmation
5. The program will now generate an RSA public key and save it to the file

For Windows users:

1. Start the puttygen utility.
2. In the Actions section, click on the Generate button to generate a public/private key pair:

3. Move your mouse over the top section of the puttygen dialog box to generate random activity, as per puttygen's instructions.
4. Enter a passphrase (not necessary, but recommended).
5. Click on the Save private key button and specify a filename for the private key (for example, MyPrivateKey.ppk).
6. Highlight the public key that was created in the textbox and save it to a file (for example, MyPublicKey.txt). Do not use the Save public key button because it adds potentially incompatible text to the file.

RSA has become a standard for securing client/server connections. A client generates a public/private key pair—a private key file and a public key file, and a possible passphrase for additional security. Any server can then request the client’s public key and add it to their system; that client can then authenticate without typing in a password.

• The Enabling SSH access recipe
• The Configuring SSH RSA key authentication recipe

This recipe describes how to configure pfSense to use an RSA key rather than a username/password combination for authentication.

Make sure you have enabled SSH access and generated an RSA key (if you completed the last two recipes, you have).

1. Navigate to System | Advanced.
2. Make sure SSHd Key Only is set to Public Key Only:

3. Navigate to System | User Manager. Click on the Users tab (it should be selected by default).
4. Click on the Edit icon (the pencil) for the admin account.
5. In the Keys section, paste the client's public RSA key (that can be the RSA key you created in the previous recipe). When pasted, the key should appear as a single line. Make sure your text editor does not insert any line feeds, or authentication may fail:

6. When done, click on the Save button.

When you connect using an SSH client, instead of asking for a username and password, the SSH server will now use your public RSA key to send a challenge to you. The challenge can only be read if you have the matching private RSA key.

RSA private keys can also be stored encrypted to the client’s computer. The SSH client will prompt you for the decryption password. Once entered, it will be able to use the private key for authentication.

• The Enabling SSH access recipe
• The Generating authorized RSA keys recipe
• The Accessing the SSH recipe

This recipe describes how to access the console from any Linux, macOS, or Windows computer.

The SSH server must be enabled and configured on your pfSense box. You must have an SSH client on your computer. An SSH client is installed by default on Linux and macOS. If you are using Windows, you need to install an SSH client such as PuTTY.

In Linux or macOS, follow these steps:

1. Launch a Terminal window and type the following: ssh [email protected].
2. If you are using the default configuration, you will be prompted for a password.
3. If you are using RSA key authentication, the client will directly connect to the server, or you may be asked for a passphrase. If asked for a passphrase, use the one you created when creating the RSA key.
4. If you configured SSH to use a different port, you can specify it using the -p option; for example, ssh -p 12345 [email protected].

In Windows, follow these steps:

1. Launch PuTTY and, on the initial screen, enter the hostname or IP address of pfSense:

2. Specify an alternate port if necessary.

3. If you are using RSA key authentication, navigate to Connection | SSH | Auth | Private key file for authentication:

4. You'll connect and be prompted for a username.
5. You will then be prompted for a password, or if RSA authentication is used, you will connect directly, or be prompted for a passphrase.

SSH allows access to the pfSense console from any computer or device that has an SSH client installed on it.

• The Enabling SSH access recipe
• The Generating authorized RSA keys recipe
• The Configuring SSH RSA auhentication recipe

This recipe describes how to set up a Virtual LAN (VLAN) from the pfSense web GUI. For example, we could set up a VLAN for developers.

In order to complete this recipe, you must have at least one unassigned interface to use as the parent interface.

1. Navigate to Interfaces | Assignments, and click on the VLANs tab.
2. Click on the Add button.
3. Choose a Parent Interface from the drop-down menu; this should be a currently unassigned interface:

4. Enter a VLAN Tag from 2 to 4094 (1 is reserved as the default VLAN tag and should not be used).
5. Enter a VLAN Priority level from 0 to 7 (or just leave it at the default value of 0).
6. Enter a brief Description.
7. When you are done, click on the Save button.
8. Click on the Interface Assignments tab.
9. In the Available network ports column, select the newly created VLAN in the drop-down box, and click on the Add button:

10. To configure the VLAN, click on the interface name in the Interface column.
11. On the Interfaces configuration page, check the Enable Interface checkbox.
12. Change the Description to an appropriate one for the VLAN (for example, DEV).
13. Set the IPv4 Configuration Type to an appropriate value (usually Static IPv4).
14. Set the IPv6 Configuration Type, or leave it set to None.
15. If you set the IPv4 Configuration Type to Static IPv4, you must enter the IPv4 Address and CIDR for the new VLAN. Use a subnet that has not yet been used (for example, 192.168.10.1/24).

16. Leave the IPv4 Upstream gateway set to None.
17. If you set the IPv6 Configuration Type to Static IPv6, you must enter the IPv6 Address and CIDR for the new VLAN.
18. Leave the IPv6 Upstream gateway set to none.
19. Leave the Block private networks and Block bogon networks checkboxes unchecked.
20. When you are done making changes, click on the Save button, and then, when the page reloads, click on the Apply Changes button.

Up to now, we have contemplated networks that correspond to a single network interface. Sometimes, however, we want to decouple logical network groupings from physical interfaces. We may want to have more than one network on a single interface—or, less commonly, have a network span multiple interfaces. We can accomplish this with virtual LANs, or VLANs. By attaching a special header to an Ethernet frame, known as an 802.1Q tag, we can have VLANs. Since the VLAN tag is an integer from 1 to 4094, it would seem that we are limited to 4094 VLANs (or 4093, since we are not supposed to use 1 as a tag), but by using QinQ tagging, we can nest VLAN tags, making it possible to have a much greater number of VLANs on our private network (in fact, a much greater number of VLANs than we would probably ever need).

In order to utilize VLANs on your network, you need one or more managed switches. These are switches that recognize 802.1Q tags placed in the Ethernet frame by pfSense, and which will forward the frames to the correct port. Managed switches are never plug and play, they always involve some configuration, so consult your switch’s documentation for details on how to configure it.

• The Configuring VLANs from the console recipe

This recipe describes how to assign interfaces using the console menu.

In order to complete this recipe, you will need at least one unassigned interface.

1. On the console menu, press 1 and press Enter.
2. The first option will be for setting up VLANs. Since we don’t want to set up VLANs now, press n and Enter:

3. You will be prompted to enter the WAN interface name. Here, you must enter the device name for the interface that will be the WAN interface (for example, eth0, eth1, em0, em1, and so on). Enter the appropriate device name and press Enter.
4. You will be prompted to enter the LAN interface name, or nothing if finished. You only need to assign the WAN interface (in which case you will be able to log into pfSense using the WAN IP address). However, if you want to assign an interface to LAN, enter the device name and press Enter. Otherwise, just press Enter.
5. If there are more than two network interfaces, you can assign optional interfaces at the console. To do so, enter the device name and press Enter. Otherwise, just press Enter.
6. The interface assignments will be listed, and you will be asked whether you want to proceed. Pressing n and Enter will result in no changes being made, while pressing y and Enter will commit the changes.
7. If you pressed y and Enter, the changes will be written and the settings will be reloaded. You will then be returned to the console menu.

In this recipe, we were able to assign interfaces (which was done earlier in the chapter via the web GUI) from the console. Many configurations can be done from the console—we can even restore earlier configurations and run utilities—and in this book, we will take advantage of this functionality.

• The Configuring a WAN interface from the console recipe
• The Configuring a LAN interface from the console recipe
• The Configuring optional interfaces from the console recipe
• The Configuring VLANs from the console recipe

This recipe describes how to configure the WAN interface from the Console menu.

In order to complete this recipe, the WAN interface must have previously been assigned to one of the available network interfaces.

1. On the console menu, type 2 and press Enter.
2. pfSense will prompt you for the number of the interface you want to configure. For the WAN interface, this will be 1, so type 1 and press Enter.

3. pfSense will ask you if you want to configure the IPv4 WAN address through DHCP. In most cases, you will want to type y, because the WAN interface address will be assigned by your ISP via DHCP. Type y and press Enter. If you enter n, pfSense will prompt you for a WAN IPv4 address, and then the subnet bit count:

4. pfSense will ask you whether you want to configure the IPv6 WAN address through DHCP6. You can type y if your ISP supports IPv6 addressing, or type n, in which case IPv6 addressing for the WAN interface will be disabled.
5. pfSense will ask you whether you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, type n and press Enter.
6. The configuration process is now complete. The settings will be saved and pfSense will reload them.

This recipe describes how to configure the WAN interface via the console instead of through the web GUI. Note that the options are much more limited than they are in the web GUI. For example, you only have the option to configure an IPv4 address via DHCP or use a static address. None of the other options, such as PPP or PPPoE are available. Also, with IPv6, the only option is DHCP6. If you require more options that are available here, use the web GUI.

• The Assigning interfaces from the console recipe
• The Configuring a LAN interface from the console recipe
• The Configuring optional interfaces from the console recipe
• The Configuring VLANs from the console recipe
• The Configuring a WAN interface recipe

This recipe describes how to configure the LAN interface from the Console menu.

In order to complete this recipe, the LAN interface must have previously been assigned to one of the available network interfaces.

1. On the console menu, type 2 and press Enter.
2. pfSense will prompt you for the number of the interface you want to configure. For the LAN interface, this will be 2, so type 2 and press Enter.
3. pfSense will prompt you for the new LAN IPv4 address. Enter the new address and press Enter:

4. pfSense will prompt you for the subnet bit count (the CIDR). Enter the bit count and press Enter.
5. pfSense will prompt you for the new LAN IPv4 upstream gateway address. You don’t need to specify an upstream gateway, so just press Enter.
6. pfSense will prompt you for the new LAN IPv6 address. If you want to specify an IPv6 address, type it here; otherwise, just press Enter.
7. If you entered an IPv6 address, pfSense will prompt you for the subnet bit count (CIDR). Enter the bit count and press Enter.

8. If you entered an IPv6 address, pfSense will prompt you for the new LAN IPv6 upstream gateway address. You don’t need to specify an upstream gateway, so just press Enter.
9. pfSense will ask whether you want to enable the DHCP server on LAN. If you enter y, you will then be prompted for the start and end addresses of the IPv4 client address range. You can enter y and type the start and end addresses, or just enter n and set up DHCP later on (recommended).
10. If you entered an IPv6 address, pfSense will ask if you want to enable the DHCP6 server on LAN. If you enter y, you will then be prompted for the start and end addresses of the IPv6 client address range. You can enter y and type the start and end addresses, or just enter n and set up DHCP6 later on (recommended).
11. pfSense will ask you whether you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, type n and press Enter.
12. The configuration process is now complete. The settings will be saved and pfSense will reload them.

This recipe described how to set up a LAN interface’s IP address using the console instead of the web GUI. Note that this option also allows you to set up the DHCP (or DHCP6) server, although it does not provide as many options as the web GUI. As with configuring a WAN interface, you may find it necessary to do the configuration via the web GUI, as the console only provides limited options.

• The Assigning interfaces from the console recipe
• The Configuring a WAN interface from the console recipe
• The Configuring optional interfaces from the console recipe
• The Configuring VLANs from the console recipe
• The Configuring a LAN interface recipe

This recipe describes how to configure optional interfaces from the console menu.

In order to complete this recipe, at least one optional interface must have previously been assigned to one of the available network interfaces.

1. On the console menu, type 2 and press Enter.
2. pfSense will prompt you for the number of the interface you want to configure. Type the appropriate number and press Enter.
3. pfSense will prompt you for the new LAN IPv4 address. Enter the new address and press Enter.
4. pfSense will prompt you for the subnet bit count (the CIDR). Enter the bit count and press Enter.
5. pfSense will prompt you for the new LAN IPv4 upstream gateway address. You don’t need to specify an upstream gateway, so just press Enter.
6. pfSense will prompt you for the new LAN IPv6 address. If you want to specify an IPv6 address, type it here; otherwise, just press Enter.
7. If you entered an IPv6 address, pfSense will prompt you for the subnet bit count (CIDR). Enter the bit count and press Enter.
8. If you entered an IPv6 address, pfSense will prompt you for the new LAN IPv6 upstream gateway address. You don’t need to specify an upstream gateway, so just press Enter.
9. pfSense will ask whether you want to enable the DHCP server on LAN. If you enter y, you will then be prompted for the start and end addresses of the IPv4 client address range. You can enter y and type the start and end addresses, or just enter n and set up DHCP later on (recommended).

10. If you entered an IPv6 address, pfSense will ask whether you want to enable the DHCP6 server on LAN. If you enter y, you will then be prompted for the start and end addresses of the IPv6 client address range. You can enter y and type the start and end addresses, or just enter n and set up DHCP6 later on (recommended).
11. pfSense will ask you if you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, type n and press Enter.
12. The configuration process is now complete. The settings will be saved and pfSense will reload them. Repeat the process for as many optional interfaces as you wish to configure.

This recipe describes how to set up interfaces such as an interface for a DMZ.

• The Assigning interfaces from the console recipe
• The Configuring a WAN interface from the console recipe
• The Configuring a LAN interface from the console recipe
• The Configuring VLANs from the console recipe
• The Configuring optional interfaces recipe

This recipe describes how to add a VLAN from the console menu.

In order to complete this recipe, there must be at least one interface that was not previously assigned.

1. From the console menu, type 1 and press Enter.
2. pfSense will ask if VLANs should be created now. Type y and press Enter.
3. pfSense will next warn you that if you proceed, all existing VLANs will be cleared. Type y and press Enter:

4. pfSense will list all the VLAN-capable interfaces. Although, technically, you can make a previously-assigned interface into the parent interface of a VLAN, it is not recommended. Type the name of one of the unassigned interfaces (for example, eth0, eth1, em0, or em1) and press Enter.
5. pfSense will next prompt you for the VLAN tag. Type the VLAN tag and press Enter.
6. Repeat steps 4 and 5 for as many VLANs as you wish to create. When you are done, press Enter.
7. pfSense will prompt you for the name of the WAN interface; type in the name and press Enter.
8. pfSense will prompt you for the name of the LAN interface; type in the name and press Enter.
9. pfSense will prompt you for the name of the Optional 1 interface. You can create a VLAN by using the name of the VLAN interface(s) assigned in steps 4 and 5. The name of the interface will have two numbers separated by a period. The first number will be the device number of the interface; the second number (after the period) will be the VLAN tag. Thus if the device name is em, and em2 is the parent interface of a VLAN tag of 3, the interface name will be em2.3. Type the interface name and press Enter.
10. When you are done assigning interfaces, press Enter.
11. pfSense will ask you whether you want to proceed. Type y and press Enter. Take note of the name of the newly created VLAN (for example, OPT1).
12. You now have assigned a VLAN, but the VLAN doesn’t have an IP address. To set the VLAN’s IP address, type 2 and press Enter.
13. Find the newly created VLAN in the list of interfaces and type the appropriate number and press Enter.
14. pfSense will prompt you for the VLAN’s IPv4 address. Type in the address and press Enter.
15. pfSense will prompt you for the subnet bit count (CIDR) of the address. Type in the bit count and press Enter.
16. pfSense will prompt you for the IPv4 upstream gateway address. Since you don't need one, press Enter.
17. PfSense will prompt you for the VLAN’s IPv6 address. You can type in an IPv6 address or just press Enter.
18. If you entered an IPv6 address, pfSense will prompt you for the subnet bit count (CIDR). Enter the bit count and press Enter. If you didn’t enter an IPv6 address, skip to step 20.

19. If you entered an IPv6 address, pfSense will prompt you for the IPv6 upstream gateway address. Since you don't need one, press Enter.
20. pfSense will ask you whether you want to enable the DHCP server on the VLAN. Type y if you want to enable the DHCP server, and then type the range of available addresses. Otherwise, type n and press Enter.
21. If you entered an IPv6 address pfSense will ask you whether you want to enable the DHCP6 server on the VLAN. Type y if you want to enable the DHCP6 server, and then type the range of available addresses. Otherwise, type n and press Enter.
22. pfSense will ask you whether you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, type n and press Enter.
23. pfSense will save the changes, and reload them. VLAN configuration is now complete.

This recipe describes how to set up VLANs from the console. The process is somewhat cumbersome, but if you need to create a VLAN and don't have access to the web GUI, it can be done.

• The Configuring VLANs recipe