my cheat sheet on pfsense

1 pfsense

These are just some very basic notes on my pfsense setup. The keys are not real, for obvious reasons.

1.1 Protectli

I am running on a Protectli VP2420 - 4x 2.5G Port Intel ® Celeron J6412 server.

Hardware Option
CPU Intel Celeron J6412
Memory Crucial DDR4-3200 SO-DIMM 16 GB
Storage (m.2 SATA SSD) 240 GB Protectli M.2 SSD
Storage (2.5" SSD) Samsung (no additional storage)
WiFi Module No WiFi Module
4G LTE Modem No 4G LTE External Modem
BIOS coreboot

2 Check certificate with openssl

You can use openssl to display and verify details of keys, certs, csr etc. 

  openssl x509  -in kr_management_cert.req -text -noout

  results in:

  verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=kriksis.home.arpa, C=CA, ST=Ontario, L=Toronto, O=Thunder Consulting
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:c3:b2:4e:61:5a:c8:3a:e5:7f:6e:f9:52:86:8f:
                    50:64:20:dd:bb:da:24:16:8e:d2:88:98:63:c5:50:
                    6f:ae:01:3a:77:38:95:5d:14:42:36:8d:b5:63:78:
                    d0:78:5e:a5:74:f7:94:59:a4:9f:b3:6e:df:7b:a6:
                    ce:43:fe:25:99:b2:7b:9c:3c:3f:6e:ea:50:05:6d:
                    30:01:23:4d:0e:4f:7c:2e:39:ce:35:a1:f6:e2:5c:
                    bc:c1:85:a2:1a:96:bb:70:75:38:0e:49:c5:3b:ac:
                    a7:fc:88:f5:5b:a6:92:a1:b7:34:f7:68:7a:de:09:
                    39:9c:d0:d4:4e:a4:fd:7f:88:81:7a:fb:56:67:9c:
                    8d:d5:92:2f:25:5f:4a:1a:be:2f:1f:d9:8e:52:b6:
                    f6:b9:87:c8:a8:1c:1b:c3:f2:28:bb:1b:73:71:f5:
                    16:71:e9:77:3f:ff:02:98:1e:90:0d:e2:d7:da:f5:
                    5a:7b:43:d6:0a:dc:c0:3c:7f:2d:73:43:89:92:05:
                    2b:bd:fc:eb:99:f2:67:53:00:fa:16:18:16:0c:93:
                    7e:92:8d:57:1b:22:8d:cf:23:48:40:2d:9d:65:33:
                    d1:30:a8:43:cc:ef:68:35:a7:b7:5a:b8:47:fa:a0:
                    cf:e9:fe:2c:b3:52:57:7f:cc:13:ec:65:34:10:01:
                    88:c4:a8:8d:35:cb:15:b1:34:4a:64:c9:4d:75:81:
                    a0:bb:be:35:28:d9:16:c9:f3:af:73:b7:de:28:10:
                    df:71:41:b0:01:26:94:11:ba:bc:50:65:b1:07:df:
                    5c:13:8d:8a:c4:45:a2:08:8a:7a:69:78:09:c3:57:
                    d9:dc:24:2d:b7:1b:c5:47:04:6b:b4:8d:c6:44:7d:
                    54:af:be:9f:0a:b2:16:52:15:f2:8e:a6:66:ad:c4:
                    cd:f0:65:1d:1a:2a:c5:4d:61:55:af:54:4a:9a:25:
                    9f:d5:10:1e:8a:5e:45:91:04:9a:49:b9:38:07:2d:
                    f8:2b:8b:91:7e:9d:4f:ef:a2:81:d4:0f:c5:c0:bb:
                    1f:d4:9b:cc:e2:52:f6:52:b7:21:c6:a4:9f:71:f9:
                    6a:77:57:9c:60:80:83:a4:68:95:7f:42:b0:4d:5f:
                    1d:c8:99:e0:f7:c1:74:c0:60:3b:13:18:c9:fa:df:
                    42:ca:f6:e1:90:31:86:f4:4e:44:d0:78:7f:ba:de:
                    c4:cb:56:13:84:08:47:3d:39:e2:56:6c:39:ee:b8:
                    fc:d9:8b:bf:c4:f4:b0:e9:e9:50:c0:fb:ae:19:d2:
                    62:40:42:e9:d2:20:27:5c:6f:3d:27:47:f4:89:78:
                    a5:94:b7:40:5e:e1:72:1c:45:a7:b8:87:23:91:ac:
                    46:80:cf
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                4E:F6:32:DE:53:3B:C6:90:72:F7:8A:C2:24:04:1A:B8:DC:42:1A:0D
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Subject Alternative Name: 
                DNS:kriksis.home.arpa
    Signature Algorithm: sha256WithRSAEncryption
         48:71:4c:a2:74:c2:d1:52:20:6b:52:c5:f7:0f:ce:e9:6a:f1:
         97:7b:c7:b4:03:ac:02:5d:32:04:b1:cd:3b:87:ab:93:6f:ff:
         91:a4:32:fc:e6:1d:65:82:47:c2:14:a8:c6:6e:3d:2f:70:03:
         37:59:e4:ff:67:10:7b:c6:cf:f2:7f:bf:4a:5f:f2:d1:43:b8:
         c7:80:59:9d:e6:c5:52:d2:31:f3:52:b5:63:28:3d:97:cb:6c:
         bd:19:77:79:6c:61:fa:80:a6:06:2c:4b:d4:3c:c9:58:9e:01:
         9c:2d:1c:49:4c:41:6c:4f:f4:7a:b7:45:af:38:ab:04:dd:28:
         c0:3c:36:6b:56:9a:d6:86:e7:3a:5e:2a:22:09:21:9d:8e:86:
         28:da:07:3c:df:5a:0e:c0:1d:19:97:0f:0c:05:af:15:c3:69:
         37:6c:06:98:ae:81:cc:0d:c4:08:fe:26:20:77:71:63:39:d3:
         42:d7:ce:7f:27:5c:d3:4e:64:53:a4:6b:10:1f:ac:20:ec:c4:
         b4:cf:4b:95:97:62:af:b2:d2:53:b3:d1:68:9f:8c:cb:b4:e2:
         d7:77:89:8b:7c:f7:10:ae:01:77:ff:46:2d:b1:bf:79:0a:47:
         85:0c:c0:0f:9d:b4:e9:20:a5:5b:0e:81:24:d0:eb:a5:e3:a5:
         80:2e:f9:b8:f4:37:d9:50:1f:e5:c6:3d:2c:a9:2d:89:a9:f4:
         57:5c:d0:d7:0a:5c:8d:81:05:48:a3:d4:23:e8:30:1e:1c:96:
         ee:c6:0e:8b:20:5f:6c:81:a2:6e:12:51:d5:0d:db:52:53:f9:
         f6:1f:05:1e:f1:bf:a7:e6:d1:cb:80:fa:7f:d7:a7:56:1c:03:
         10:75:55:5f:62:fd:fc:02:ca:3e:2d:a0:68:06:8b:6c:58:63:
         74:84:ec:56:39:b4:79:86:82:0a:e6:f4:d3:85:11:bc:63:bd:
         2f:00:07:d6:5d:3b:4a:33:c6:b2:ac:b1:48:32:4a:b4:3b:f7:
         3a:35:3b:20:39:ae:0f:b8:97:10:bc:3f:08:34:1e:80:68:66:
         9f:f5:d3:cc:95:dc:d2:a9:88:f6:09:02:09:55:44:fc:b5:52:
         d6:80:a4:26:6e:7d:8d:91:37:b5:bd:45:2b:17:f2:c3:f1:28:
         ee:c0:f9:fb:f7:be:34:94:71:02:d7:01:c5:93:ed:42:2f:b3:
         e2:78:7c:af:7c:05:c4:5f:4a:63:af:70:9a:cf:be:c5:8f:ca:
         0a:60:44:ca:73:a8:3f:d2:7c:1a:ae:3a:3e:d0:35:61:ce:41:
         2c:d7:b3:06:5d:9f:3d:89:00:9d:8e:54:df:1b:a2:2f:cf:a5:
         a3:88:f4:87:9a:b7:32:05

With this CSR, we upload that to a CA to have it signed. The CA signs this CSR, which turns it into an actual certificate and returns that to you.

The top will be much the same, but the bottom will have additional data that is the signature of the CA.

2.1 CA that can sign your CSR

You could try an external CA, such as letsencrypt.org, or, you can let the pfsense firewall also run a local CA, and have it sign the CSR.

2.1.1 pfsense local CA

First you have to tell pfsense to be a CA. Select that under:

  • system
  • Certificate Manager
  • CA

    I created a CA certificate, called it Internal pfsense CA

2.1.2 pfsense Certificates

Once you have a local CA, you can create certificates that are then signed by the local CA.

  • system
  • Certificate Manager
  • Certificates Make a new certificate Add/Sign+ with the following options:
    • Method: Create an internal Certificate
    • Certificate Authority: Internal pfsense CA created earlier (you could use letsencrypt or the like, but then the method should have been Create a Certificate Signing Request first, followed by getting letsencrypt to sign it, thus converting it to a certificate, then finally import an existing certificate
    • For mgt, I choose RSA 4096, with sha256 digest
    • Common Name: I used the FQDN for my pfsense
    • filled in remaining fields
    • Certificate Type: Server Certificate is what you want so that pfsense webgui can be accessed using https rather than http.
    • Alternative Names: make this match the FQDN from above

Once you have this certificate you need to tell pfsense to use it rather than use the default webgui certificate that comes by default.

2.1.3 telling pfsense to use the certificate

Once the above is done, configure:

  • System
  • Advanced
  • Admin Access
  • webConfigurator
    • SSL/TLS Certificate : the mgt certificate created above
    • Alternative Hostnames : make it match the FQDN in the mgt certificate

2.2 Secure Shell

For SSHd Key Only, (under:

  • System
  • Advanced
  • Admin Access
    • Secure Shell SSHd Key Only When set to Public Key Only, SSH access requires authorized keys and these keys must be configured for each user that has been granted secure shell access. If set to Require Both Password and Public Key, the SSH daemon requires both authorized keys and valid passwords to gain access. The default Password or Public Key setting allows either a valid password or a valid authorized key to login.
    • SSH port: override to something less obvious than *22*

3 Diagnostics

3.1 CommandLine

3.1.1 speedtest

You can use the command-line prompt to run speedtests directly from the pfsense router. You will have to install the package using the commnd 

  pkg search speedtest
pkg install py311-speedtest-cli.2.1.3
speedtest
speedtest -h
speedtest --list
speedtest --server

speedtest –server output will look something like this: 

Retrieving speedtest.net configuration...
46148) Rogers (Brampton, ON, Canada) [2.95 km]
46144) Rogers (Etobicoke, ON, Canada) [21.65 km]
52346) Bell Mobility (York, ON, Canada) [22.75 km]
17568) Bell Canada (North York, ON, Canada) [25.51 km]
46811) Rogers (North York, ON, Canada) [25.51 km]
13238) Frontier Networks Inc (Toronto, ON, Canada) [27.85 km]
23748) Fibernetics (Toronto, ON, Canada) [27.85 km]
46810) Rogers (Markham, ON, Canada) [33.92 km]
46699) Netcrawler.ca Internet (Markham, ON, Canada) [33.92 km]
46431) Rogers (Scarborough, ON, Canada) [40.00 km]

The numbers in the first column are used in the –server parameter, so for example if you want to run the speedtest to Frontier Networks in Toronto, you would run speedtest --server 13238

Interesting fact, ip addresses are typically written for humans as a quadruple of 8 bit values in decimal form, so

4 pfsense 3rd party packages

These are installed on a pfsense firewall from the pfsense repository.

  • System/Package Manager/Installed Packages to see what is installed
  • System/Package Manager/Available Packages to list packages in repository
  • System/Package Manager/Available Packages/+Install to install one